reassign 590998 libpam-ldap
thanks
On Fri, Jul 30, 2010 at 04:10:36PM -0400, Patricio Rojo wrote:
I apologize if this is the wrong package in which to file this wishlist.
I'll appreciate forwarding in that case.
I manage users in one machine with LDAP. I'm very suprised that I need
to change the address of my ldap server, I had to edit each of
/etc/ldap/ldap.conf
/etc/pam_ldap.conf
/etc/libnss-ldap.conf
Wouldn't make more sense to have only one line with such information,
and maybe that file can be specified from the others?
/etc/ldap/ldap.conf is a configuration file for the LDAP library.
/etc/pam_ldap.conf and /etc/libnss-ldap.conf are configuration files for
specific applications that use this library. The two should not be
conflated; there are a number of reasons why you may use different values
for each (and the syntax between the config files isn't even the same).
However, the nss_ldap and pam_ldap config files *could* be merged; this has
already been done in Ubuntu. So this is something that the maintainer of
these packages could at least consider doing in Debian, I think.
Reassigning to libpam-ldap.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slanga...@ubuntu.com vor...@debian.org
Hi, I know this is ages ago, but as I'm currently digging into related
issues and about submit other bugs so ran across this one, I figured I
should comment my own opinion on this issue.
I get the desire to have reduced complexity and fewer places to change
the same thing where possible, but given that much of that can be
automated via debconf for simple setups now, please don't unnecessarily
combine /etc/libnss-ldap.conf and /etc/pam_ldap.conf.
Having naming services be separate from authentication/authorization is
a very flexible and powerful feature that other systems like nslcd and
sssd can't do. It allows overall machine control vs per service control
in very nice and complex ways.
For instance, on an NFS server, one may wish all uid/gids to show up
(possibly with different homeDirectory attribute maps), but only select
certain ones to be able to authenticate to certain services. This is
easy to do when libnss-ldap.conf is separate from pam_ldap.conf and
pam_ldap.so can target different config= files for different pam service
stacks.
I know that one could continue to specify those config= parameters
manually in order to keep them separate if desired, but that'd break age
old defaults for existing long term setups.
</cent></cent>
Thanks,
Brian
