On Fri, 2009-05-22 at 13:15 -0300, Rodrigo Campos wrote: > Hi, I've just upgraded from libnss-ldapd 0.6.7.1 (the version in > lenny) and it stopped working. I have also tried 0.6.8 and it fails > too. If I downgraded to the version in lenny, it works again. > > After digging for a while, I tried adding "tls_reqcert no" > in /etc/nss-ldapd.conf and it started working OK :) (i.e. "id > <username>" works and everything else seems to work too). > > If some default have changed, I was wondering if it is possible to > handle it in a more smooth way.
The problem was that earlier versions of nss-ldapd, the OpenLDAP library also parsed /etc/ldap.conf, ~/.ldaprc and used some environment variables. Since this could result in weird interaction between options this was disabled. Now all options should be in /etc/nss-ldapd.conf. Btw, release 0.6.8 had problems with the tls_reqcert option because of a bug in OpenLDAP (#525605). Any suggestions on to how to handle this on upgrading are welcome. > Also, that option is not possible to configure using "dpkg-reconfigure > -plow libnss-ldapd", so in my case is not possible to have a working > instalation answering the debconf questions. Well, it is possible to have a working installation but not with SSL/TLS and tls_reqcert something other than the default (which is demand according to the ldap.conf(5) manual page). Perhaps another debconf question is in order when using SSL/TLS. What do you think? The problem with that approach is that you probably also have to ask for tls_cacertdir and/or tls_cacertfile. The whole idea of the debconf questions is to get a minimal configuration working. It is not meant to fully configure the package. > Also, I want to report success on "tls_reqcert no", as when I started it it > says: > > Starting nss-ldapd connection daemon: nslcdnslcd: /etc/nss-ldapd.conf:25: > option > tls_reqcert is currently untested (please report any successes) > > and that option make my installation work :) Thanks. I will consider removing the SSL/TLS related warnings since this is a common configuration that seems to be working for most users. -- -- arthur - [email protected] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
