package: libnss-ldap
version: 251-7.2
Also refering to libpam-ldap_180-1.6
Hi Stephen,
I just updated in debian testing today, on a system using pam-ldap for
authentication, and now I've got new issues that broke authentiation for
this server. It seems debian has saved certain configurations and
overwritten one or both of these settings:
1) /etc/libnss-ldap.conf : rootbinddn
2) the password in etc/libnss-ldap.secret
This breaks the authentication credentials when libnss tries to bind to the
slapd server. Certainly the debian package cannot assume during an upgrade
that the password or bind DN is still the same as the original install, and
should instead leave current settings alone on an upgrade unless it prompts
me for the current settings or warns me it will change them.
The libpam-ldap update has also overwritten the "uri" setting in
/etc/pam_ldap.conf, and enabled the "host" setting (which is not compatible
with uri). This breaks connectivity to the slapd server. I should at least
have an option of using "host" or "uri", and at least be prompted before you
update the conf file on an upgrade.
None of what you are doing is apparent on an apt-get update/upgrade. There
was no prompt whatsoever that you were about to break access to my system.
Even most packages I've used in the last 7-8 years on debian do not
overwrite critical settings on an upgrade unless they warn me it's
happening.
I consider these very serious issues. If it were not for debian testing,
there would be no excuse to defend use of debian in a live environment,
however this is a very late stage before release and you should be aware of
these obvious sorts of problems. I've emailed you about the "uri" problem
twice in the last two months. What gives?
Jamie
