Package: nslcd Severity: wishlist Tags: d-i Dear Maintainer,
I should perhaps state now that I am using Ubuntu 12.04 for reporting the bug, and initially encountered it while automating installation via preseeding for Ubuntu 14.04. While preseeding for nslcd, I found that I can use preseed for enabling start_tls and requiring a certificate, but I cannot sepcifiy where my CA certificate file can be found. As far as I can tell, nslcd does not have a default value for either TLS_CACERTFILE or TLS_CACERTDIR (not relevant, since LDAP is compiled with GnuTLS and lacks support for the directory option) either. Note that a default value for TLS_CACERT is generated in /etc/ldap/ldap.conf, presumably due to preseeded enabling of start_tls for libpam-ldapd via a shared setting: # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt So, what I am requesting is either a new debconf setting for nslcd to specify the CA cert file, or the generation of a line similar to the above one *if* start_tls is enabled. I think allowing us to require a trusted certificate via preseeding is mostly pointless if it doesn't have list of trusted CAs from somewhere to go along with it. I know that we can specifiy not requiring a certificate from the server via preseeding, but allowing us to require one implies that we should be able to handle *how* such a certificate becomes trusted. I pointed this out upstream and was requested to post a bug here (http://lists.arthurdejong.org/nss-pam-ldapd-users/2014/msg00096.html), rightly, since this is a Debian-derivative installer-specific issue. As it stands, I replace the entire config file, which means, *all* other nslcd debconf selections are rendered useless to me. I have verified this happens on jessie, and felt that the Debian BTS is the place to report this. Apologies if it is not. I figure that the precedent established by the shared setting for libpam-ldapd, which is: libpam-ldapd shared/ldapns/ldap-starttls boolean true suggests that autogeneration of a default value is the way to go, avoiding translation issues. -- System Information: Debian Release: precise APT prefers precise-updates APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise-proposed'), (500, 'precise') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-61-generic (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

