On Sun, May 24, 2009 at 11:45:31AM +0200, Arthur de Jong wrote: > On Fri, 2009-05-22 at 13:15 -0300, Rodrigo Campos wrote: > > Hi, I've just upgraded from libnss-ldapd 0.6.7.1 (the version in > > lenny) and it stopped working. I have also tried 0.6.8 and it fails > > too. If I downgraded to the version in lenny, it works again. > > > > After digging for a while, I tried adding "tls_reqcert no" > > in /etc/nss-ldapd.conf and it started working OK :) (i.e. "id > > <username>" works and everything else seems to work too). > > > > If some default have changed, I was wondering if it is possible to > > handle it in a more smooth way. > > The problem was that earlier versions of nss-ldapd, the OpenLDAP library > also parsed /etc/ldap.conf, ~/.ldaprc and used some environment > variables. Since this could result in weird interaction between options > this was disabled. Now all options should be in /etc/nss-ldapd.conf.
What is weird is that I have all options commented in /etc/ldap.conf and I have no ~/.ldaprc. Also doing "set | grep -i ldap" I dont see anything that seems to be related. Any idea why this was working with 0.6.7.1 ? Should I look for other used environment variables ? > > Btw, release 0.6.8 had problems with the tls_reqcert option because of a > bug in OpenLDAP (#525605). > > Any suggestions on to how to handle this on upgrading are welcome. Would be too much work to parse the files that are not parsed anymore and warn about the options that would be disabled ? (although this is not what happened to me or I didn't check right :) Perhaps its not worthless ? > > > Also, that option is not possible to configure using "dpkg-reconfigure > > -plow libnss-ldapd", so in my case is not possible to have a working > > instalation answering the debconf questions. > > Well, it is possible to have a working installation but not with SSL/TLS > and tls_reqcert something other than the default (which is demand > according to the ldap.conf(5) manual page). > > Perhaps another debconf question is in order when using SSL/TLS. What do > you think? > > The problem with that approach is that you probably also have to ask for > tls_cacertdir and/or tls_cacertfile. The whole idea of the debconf > questions is to get a minimal configuration working. It is not meant to > fully configure the package. > > Thanks. I will consider removing the SSL/TLS related warnings since this > is a common configuration that seems to be working for most users. If its a common configuration and the idea of the debconf questions is to get a minimal configuration working, perhaps only a question to activate that option (without the tls_cacertdir/tls_cacertfile if its too much work) ? I just said that now I can't have a working installation answering the debconf questions, just because when I installed it (0.6.7) the only thing I have to do was to answer the debconf questions to have a working setup (and I like I only have to do that :) Thanks a lot, Rodrigo -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
