tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: {,pam_,nss_}ldap.conf

> Yes, this is intentional;

> nss_ldap and pam_ldap provide the same base options,
> and their specific options are prefixed with nss_ and pam_ respectively.
Yes, I'm aware of this. But I think then pkgsrc should provide a template 
ldap.conf that contains all the nss_ AND pam_ options.
And the MESSAGE should point out that updating from a former version needs 
updating the config file.

> I guess the author's idea was to integrate with OpenLDAP's ldap.conf,
> but our (pkgsrc) OpenLDAP installs ldap.conf in etc/openldap.
Probably yes.

> The benefit of this approach is, for example: when your server's
> parameters has changed, you have only to edit one configuration file.
Yes, I agree this is a benefit. But the drawbacks are:
1. updating can leave your machine in a state where you have to go single-user 
in order to regain access (because PAM fails and/or NSS doesn't know you).
2. every user using both pam_ldap and nss_ldap has to merge the two example 
configs into one.

The first point can be addressed with a MESSAGE file.
While the second is clearly the upstream author's responsibility, I think it 
should nevertheless be patch-fixed in pkgsrc.

Home | Main Index | Thread Index | Old Index