[Christoph Haas] > I'm unhappy with the outcome of the bug #298148 (kdebase-bin: kcheckpass > needs setuid bit for ldap authentication). When using libnss-ldap and > libpam-ldap (optionally) people who lock their screen in KDE will not be > able to unlock the screen and may (like me) lose data because they > finally give up and Ctrl+Alt+Backspace. :( It turned out that unlocking > the screen currently only works if the /usr/bin/kcheckpass binary is > made setuid root.
This sounds like you have set up LDAP authentication incorrectly, as I am able to lock the screen with LDAP authentication. Correctly set up, pam-ldap should do authentication by binding to the LDAP server over SSL, and this do not require any special privileges. This is the configuration I use: # egrep -v '^#|^$' /etc/pam.d/common-auth /etc/pam_ldap.conf /etc/nsswitch.conf /etc/pam.d/common-auth:auth optional pam_group.so /etc/pam.d/common-auth:auth sufficient pam_unix.so shadow nullok_secure /etc/pam.d/common-auth:auth required pam_ldap.so use_first_pass /etc/pam_ldap.conf:host ldap.uio.no /etc/pam_ldap.conf:base cn=users,cn=system,dc=uio,dc=no /etc/pam_ldap.conf:ldap_version 3 /etc/pam_ldap.conf:pam_password crypt /etc/pam_ldap.conf:ssl start_tls /etc/pam_ldap.conf:tls_cacertfile /etc/w3_cacert.pem /etc/pam_ldap.conf:tls_checkpeer yes # The LDAP server is set up to only allow binding using passwords over 128-bit encrytped SSL, to make sure the password isn't send in clear text. This system is compatible with the one we use in Debian Edu. Friendly, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]