Package: nslcd
Severity: wishlist
Tags: d-i

Dear Maintainer,

I should perhaps state now that I am using Ubuntu 12.04 for reporting
the bug, and initially encountered it while automating installation
via preseeding for Ubuntu 14.04. 

While preseeding for nslcd, I found that I can use preseed for
enabling start_tls and requiring a certificate, but I cannot sepcifiy
where my CA certificate file can be found. As far as I can tell, nslcd
does not have a default value for either TLS_CACERTFILE or
TLS_CACERTDIR (not relevant, since LDAP is compiled with GnuTLS and
lacks support for the directory option) either.  Note that a default
value for TLS_CACERT is generated in /etc/ldap/ldap.conf, presumably
due to preseeded enabling of start_tls for libpam-ldapd via a shared
setting:
   # TLS certificates (needed for GnuTLS) 
   TLS_CACERT /etc/ssl/certs/ca-certificates.crt

So, what I am requesting is either a new debconf setting for nslcd to
specify the CA cert file, or the generation of a line similar to the
above one *if* start_tls is enabled. I think allowing us to require a
trusted certificate via preseeding is mostly pointless if it doesn't
have list of trusted CAs from somewhere to go along with it. I know
that we can specifiy not requiring a certificate from the server via
preseeding, but allowing us to require one implies that we should be
able to handle *how* such a certificate becomes trusted. 

I pointed this out upstream and was requested to post a bug here 
(http://lists.arthurdejong.org/nss-pam-ldapd-users/2014/msg00096.html),
rightly, since this is a Debian-derivative installer-specific issue.
As it stands, I replace the entire config file, which means, *all*
other nslcd debconf selections are rendered useless to me.  I have
verified this happens on jessie, and felt that the Debian BTS is the
place to report this. Apologies if it is not. I figure that the
precedent established by the shared setting for libpam-ldapd, which
is:
   libpam-ldapd shared/ldapns/ldap-starttls boolean true
suggests that autogeneration of a default value is the way to go,
avoiding translation issues.

-- System Information:
Debian Release: precise
  APT prefers precise-updates
  APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 
'precise-proposed'), (500, 'precise')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-61-generic (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to