On Wed, Jan 13, 2021 at 01:27:52PM +0100, Andras Korn wrote:
Can you somehow make the library complain very loudly when an attempt is made to use CACERTDIR, but the setting is ignored?
This is not sarcastic, but a good faith question: if it had printed something to stderr, would you have seen it? I don't think I have any way to make something appear in (for example) sssd's own log file.
In fact, it does already log a warning, but I suppose most applications using the library probably don't enable any log level.
https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_4/libraries/libldap/tls_g.c#L187-190 On Wed, Jan 13, 2021 at 01:44:07PM +0100, Andras Korn wrote:
OK, looking further, part of the problem is that I didn't have libldap-common installed, thus no /etc/ldap/ldap.conf. Since this (and the accompanying manpage) is all that libldap-common contains: what's the rationale for having these in a separate package?
Policy 8.2: "If your package contains files whose names do not change with each change in the library shared object version, you must not put them in the shared library package."
https://bugs.debian.org/330695
The libldap package only Recommends libldap-common (which is why I didn't have it); however, it is libldap-common that enables the sensible defaults. Why shouldn't libldap come with the sensible defaults itself?
It's your decision whether to install Recommends or not, but AFAIK it's generally not considered a bug if some feature or behaviour is missing when Recommends are not installed.
Why isn't the default in the code of libldap → this is upstream's decision, and I won't introduce a Debian-local change to override it, sorry.
Why isn't the config file shipped in the libldap package → see above. hope this helps, Ryan
