Bug#471146: nslcd: refuses to start with rootbinddn in old configuration
tags 471146 + pending thanks On Mon, 2008-03-17 at 23:12 +0100, Petter Reinholdtsen wrote: I'm afraid that is currently already impossible to simply copy the configuration file because not all options are supported and not all options have the same syntax (e.g. attribute mapping). You mention copying, as if you belive I have copied the file used by libnss-ldap into the file used by libnss-ldapd. I have not. I had the former installed, and then tried to install the latter. This did not give me a new configuration file, but nslcd seem to use the old configuration file as the new one is missing. Not sure what happened, but assume the postinst of libnss-ldapd took care of everything. Right, I think I misunderstood then. In any case, nss-ldapd should figure out a correct configuration file on installation. It currently uses parts of the nss_ldap configuration as defaults but should only copy the supported options (possibly translating stuff). So what this bug describes is that the installation can result in an invalid configuration file if /etc/libnss-ldap.conf contains a rootbinddn directive. This bug should be fixed in the next release (fixed in svn). -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#471146: nslcd: refuses to start with rootbinddn in old configuration
On Sun, 2008-03-16 at 16:38 +0100, Petter Reinholdtsen wrote: I am not sure if that is the use case for it. The use case I know about is to get passwd passowrd changing working for the root user. For that to work, one also need to store the ldap admin password in clear text on the disk, so I never use it. I think that is also the PAM part only because NSS does not provide any means to write values. The use case I care about for this bug report is that it should be possible to switch from libnss-ldap to libnss-ldapd without having to modify the configuration file manually, even if the rootbinddn was set in the configuration file for libnss-ldap. I'm afraid that is currently already impossible to simply copy the configuration file because not all options are supported and not all options have the same syntax (e.g. attribute mapping). I'm afraid I want to hold onto the bailing out on configuration errors because of the reasons outlined earlier so copying the file is not likely to work. I do want to make nss-ldapd pick up nss_ldap configuration options on installations as it currently does (and make it better hopefully). This makes installing nss-ldapd over nss_ldap very easy. Contributions to automatically migrate other (non-debconf-managed) settings is welcome. -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#471146: nslcd: refuses to start with rootbinddn in old configuration
[Arthur de Jong] On Sun, 2008-03-16 at 16:38 +0100, Petter Reinholdtsen wrote: I am not sure if that is the use case for it. The use case I know about is to get passwd passowrd changing working for the root user. For that to work, one also need to store the ldap admin password in clear text on the disk, so I never use it. I think that is also the PAM part only because NSS does not provide any means to write values. Ah, good point. Yes, that is PAM. I'm afraid that is currently already impossible to simply copy the configuration file because not all options are supported and not all options have the same syntax (e.g. attribute mapping). You mention copying, as if you belive I have copied the file used by libnss-ldap into the file used by libnss-ldapd. I have not. I had the former installed, and then tried to install the latter. This did not give me a new configuration file, but nslcd seem to use the old configuration file as the new one is missing. Not sure what happened, but assume the postinst of libnss-ldapd took care of everything. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#471146: nslcd: refuses to start with rootbinddn in old configuration
Package: libnss-ldapd Version: 0.6 When installing libnss-ldapd on a test machine, and after fixing the issue with double base entries (bug #471131), the nslcd daemon refuses to start because it find the rootbinddn option in /etc/nss-ldapd.conf: minerva:/# /etc/init.d/nslcd restart Restarting nss-ldapd connection daemon: nslcdnslcd: /etc/nss-ldapd.conf:19: option rootbinddn is currently unsupported failed! minerva:/# Why does this error have to be fatal? I would prefer it to only result in a warning and perhaps a syslog message, and that the daemon ignored the value and started. It would make it easier to switch from nss-ldap to nss-ldapd. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#471146: nslcd: refuses to start with rootbinddn in old configuration
On Sun, 2008-03-16 at 11:14 +0100, Petter Reinholdtsen wrote: When installing libnss-ldapd on a test machine, and after fixing the issue with double base entries (bug #471131), the nslcd daemon refuses to start because it find the rootbinddn option in /etc/nss-ldapd.conf: [...] Why does this error have to be fatal? I have made it so that all configuration options that are unsupported or unrecognised result in an error. This prevents the situation where the daemon runs with a configuration that is different from what the administrator expected when he configured it. For nss_ldap (or OpenLDAP) there could be reasons to silently ignore unknown, mis-spelled or unsupported options but for a stand-alone deamon those arguments don't hold very well IMHO. I would prefer it to only result in a warning and perhaps a syslog message, and that the daemon ignored the value and started. It would make it easier to switch from nss-ldap to nss-ldapd. There was partial support for the rootbind{dn,pw} options in the maintainer scripts before so those options got copied from nss_ldap. I've fixed this problem to not set rootbind{dn,pw} from the maintainer scripts, even if they were set in /etc/libnss-ldap.conf. I have been giving the rootbind{dn,pw} options some thought and am less and less convinced that they are a good idea to implement. If, for instance you use nscd, most passwd/group/host lookups come from nscd which runs as root (shadow lookups aren't proxied through nscd). This would mean that for most lookups rootbind{dn,pw} are used instead of the normal credentials as you would expect. The only real usecase of having this option (as far as I know) would be to expose password hashes through passwd and/or shadow lookups for authentication. Using PAM is a much better way to do authentication because you don't have to expose the password hashes at all and can use any hash supported by the LDAP server. Lastly it would complicate the code and would probably require more connections to the LDAP server in nslcd (because LDAP connections are re-used for different processes). -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#471146: nslcd: refuses to start with rootbinddn in old configuration
[Arthur de Jong] The only real usecase of having this option (as far as I know) would be to expose password hashes through passwd and/or shadow lookups for authentication. Using PAM is a much better way to do authentication because you don't have to expose the password hashes at all and can use any hash supported by the LDAP server. I am not sure if that is the use case for it. The use case I know about is to get passwd passowrd changing working for the root user. For that to work, one also need to store the ldap admin password in clear text on the disk, so I never use it. The use case I care about for this bug report is that it should be possible to switch from libnss-ldap to libnss-ldapd without having to modify the configuration file manually, even if the rootbinddn was set in the configuration file for libnss-ldap. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]