> -----Original Message----- > From: Steve Langasek [mailto:[EMAIL PROTECTED] > Sent: Monday, February 26, 2007 3:39 PM > To: Giuseppe Sacco; [EMAIL PROTECTED] > Cc: Jamie ffolliott > Subject: Bug#407746: libpam-ldap upgrade breaks pam_ldap.conf > and can't login > > On Mon, Feb 26, 2007 at 02:34:51PM +0100, Giuseppe Sacco wrote: > > Could you please explain once more what happens if you put your > > complete URI, like "ldaps://..../" when prompted for the host? > > According to the scritp, when an uri is inserted, then the host is > > commented out and the uri directive is added. > > The nature of this bug is that the libpam-ldap.conf has been > manually edited, and on upgrade the user is *not* prompted > again, but the local changes are overwritten instead. That's > the behavior that needs to be addressed here.
The issue that forces manual editing is that: the package wants to maintain the libpam-ldap.conf, and will not allow me to specify a "uri" setting to speak to the ldap server via ldaps://. There are almost always other types of changes one needs to make to the .conf, so debconf will never be the only thing writing this file. Alternatively, allow configuration of the "uri" setting using debconf, or simply convert to using the "uri" setting instead of "host" since it is more flexible. uri ldap://hostname is equivalent to host hostname port 389 The other issue is that you store a sensitive password (allowing write to the ldap directory) in debconf, without appropriate encryption - that stuff should generally not be stored and used to overwrite the pam_ldap.secret file. I'd prefer if it asked for the password once on initial install, and never touched it again, or at the very minimum should prompt each time before overwriting it. > Unfortunately it's made trickier by the goal to keep > libpam-ldap and libnss-ldap in sync, since you can't have > both config files be the master source for this value and > still have them in sync all the time. I suppose it's redundant that each package asks for the same information. That may be ok for the initial install, but for maintenance that can be frustrating. > -- > Steve Langasek Give me a lever long enough > and a Free OS > Debian Developer to set it on, and I can > move the world. > [EMAIL PROTECTED] > http://www.debian.org/ > > > !DSPAM:45e347a053121493051656! > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]