Bug#471146: nslcd: refuses to start with rootbinddn in old configuration
tags 471146 + pending thanks On Mon, 2008-03-17 at 23:12 +0100, Petter Reinholdtsen wrote: I'm afraid that is currently already impossible to simply copy the configuration file because not all options are supported and not all options have the same syntax (e.g. attribute mapping). You mention copying, as if you belive I have copied the file used by libnss-ldap into the file used by libnss-ldapd. I have not. I had the former installed, and then tried to install the latter. This did not give me a new configuration file, but nslcd seem to use the old configuration file as the new one is missing. Not sure what happened, but assume the postinst of libnss-ldapd took care of everything. Right, I think I misunderstood then. In any case, nss-ldapd should figure out a correct configuration file on installation. It currently uses parts of the nss_ldap configuration as defaults but should only copy the supported options (possibly translating stuff). So what this bug describes is that the installation can result in an invalid configuration file if /etc/libnss-ldap.conf contains a rootbinddn directive. This bug should be fixed in the next release (fixed in svn). -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#471146: nslcd: refuses to start with rootbinddn in old configuration
On Sun, 2008-03-16 at 16:38 +0100, Petter Reinholdtsen wrote: I am not sure if that is the use case for it. The use case I know about is to get passwd passowrd changing working for the root user. For that to work, one also need to store the ldap admin password in clear text on the disk, so I never use it. I think that is also the PAM part only because NSS does not provide any means to write values. The use case I care about for this bug report is that it should be possible to switch from libnss-ldap to libnss-ldapd without having to modify the configuration file manually, even if the rootbinddn was set in the configuration file for libnss-ldap. I'm afraid that is currently already impossible to simply copy the configuration file because not all options are supported and not all options have the same syntax (e.g. attribute mapping). I'm afraid I want to hold onto the bailing out on configuration errors because of the reasons outlined earlier so copying the file is not likely to work. I do want to make nss-ldapd pick up nss_ldap configuration options on installations as it currently does (and make it better hopefully). This makes installing nss-ldapd over nss_ldap very easy. Contributions to automatically migrate other (non-debconf-managed) settings is welcome. -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#471146: nslcd: refuses to start with rootbinddn in old configuration
[Arthur de Jong] On Sun, 2008-03-16 at 16:38 +0100, Petter Reinholdtsen wrote: I am not sure if that is the use case for it. The use case I know about is to get passwd passowrd changing working for the root user. For that to work, one also need to store the ldap admin password in clear text on the disk, so I never use it. I think that is also the PAM part only because NSS does not provide any means to write values. Ah, good point. Yes, that is PAM. I'm afraid that is currently already impossible to simply copy the configuration file because not all options are supported and not all options have the same syntax (e.g. attribute mapping). You mention copying, as if you belive I have copied the file used by libnss-ldap into the file used by libnss-ldapd. I have not. I had the former installed, and then tried to install the latter. This did not give me a new configuration file, but nslcd seem to use the old configuration file as the new one is missing. Not sure what happened, but assume the postinst of libnss-ldapd took care of everything. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#471146: nslcd: refuses to start with rootbinddn in old configuration
Package: libnss-ldapd Version: 0.6 When installing libnss-ldapd on a test machine, and after fixing the issue with double base entries (bug #471131), the nslcd daemon refuses to start because it find the rootbinddn option in /etc/nss-ldapd.conf: minerva:/# /etc/init.d/nslcd restart Restarting nss-ldapd connection daemon: nslcdnslcd: /etc/nss-ldapd.conf:19: option rootbinddn is currently unsupported failed! minerva:/# Why does this error have to be fatal? I would prefer it to only result in a warning and perhaps a syslog message, and that the daemon ignored the value and started. It would make it easier to switch from nss-ldap to nss-ldapd. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#471146: nslcd: refuses to start with rootbinddn in old configuration
On Sun, 2008-03-16 at 11:14 +0100, Petter Reinholdtsen wrote:
When installing libnss-ldapd on a test machine, and after fixing the
issue with double base entries (bug #471131), the nslcd daemon refuses
to start because it find the rootbinddn option in /etc/nss-ldapd.conf:
[...]
Why does this error have to be fatal?
I have made it so that all configuration options that are unsupported or
unrecognised result in an error. This prevents the situation where the
daemon runs with a configuration that is different from what the
administrator expected when he configured it.
For nss_ldap (or OpenLDAP) there could be reasons to silently ignore
unknown, mis-spelled or unsupported options but for a stand-alone deamon
those arguments don't hold very well IMHO.
I would prefer it to only result in a warning and perhaps a syslog
message, and that the daemon ignored the value and started. It would
make it easier to switch from nss-ldap to nss-ldapd.
There was partial support for the rootbind{dn,pw} options in the
maintainer scripts before so those options got copied from nss_ldap.
I've fixed this problem to not set rootbind{dn,pw} from the maintainer
scripts, even if they were set in /etc/libnss-ldap.conf.
I have been giving the rootbind{dn,pw} options some thought and am less
and less convinced that they are a good idea to implement. If, for
instance you use nscd, most passwd/group/host lookups come from nscd
which runs as root (shadow lookups aren't proxied through nscd). This
would mean that for most lookups rootbind{dn,pw} are used instead of the
normal credentials as you would expect.
The only real usecase of having this option (as far as I know) would be
to expose password hashes through passwd and/or shadow lookups for
authentication. Using PAM is a much better way to do authentication
because you don't have to expose the password hashes at all and can use
any hash supported by the LDAP server.
Lastly it would complicate the code and would probably require more
connections to the LDAP server in nslcd (because LDAP connections are
re-used for different processes).
--
-- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
Bug#471146: nslcd: refuses to start with rootbinddn in old configuration
[Arthur de Jong] The only real usecase of having this option (as far as I know) would be to expose password hashes through passwd and/or shadow lookups for authentication. Using PAM is a much better way to do authentication because you don't have to expose the password hashes at all and can use any hash supported by the LDAP server. I am not sure if that is the use case for it. The use case I know about is to get passwd passowrd changing working for the root user. For that to work, one also need to store the ldap admin password in clear text on the disk, so I never use it. The use case I care about for this bug report is that it should be possible to switch from libnss-ldap to libnss-ldapd without having to modify the configuration file manually, even if the rootbinddn was set in the configuration file for libnss-ldap. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
