On Sun, 2009-05-24 at 14:22 -0300, Rodrigo Campos wrote: > What is weird is that I have all options commented in /etc/ldap.conf > and I have no ~/.ldaprc.
On Sun, 2009-05-24 at 14:34 -0300, Rodrigo Campos wrote: > I meant /etc/ldap/ldap.conf (I dont have a /etc/ldap.conf file) > > And now that I check, I do have "tls_checkpeer no" > in /etc/pam_ldap.conf, perhaps that file was parsed too ? This file shouldn't be parsed as far as I know. You can try to start the old nslcd with: strace -f -o /tmp/strace.log nslcd -d and have a look in the logfile to see which files are opened. > Any idea why this was working with 0.6.7.1 ? Should I look for other > used environment variables ? I'm a bit puzzled by this. If there is nothing in the environment and nothing in any config file I can't imagine what would be different. > > Any suggestions on to how to handle this on upgrading are welcome. > > Would be too much work to parse the files that are not parsed anymore > and warn about the options that would be disabled ? (although this is > not what happened to me or I didn't check right :) Perhaps its not > worthless? The problem here is that this can get very complex quickly. You have to parse /root/.ldaprc, /etc/ldap/ldap.conf and /etc/nss-ldapd.conf and handle options that are overridden. Also the configuration files may contain more options than are actually used or useful. > > Well, it is possible to have a working installation but not with > > SSL/TLS and tls_reqcert something other than the default (which is > > demand according to the ldap.conf(5) manual page). > > > > Perhaps another debconf question is in order when using SSL/TLS. > > What do you think? > > > > The problem with that approach is that you probably also have to ask > > for tls_cacertdir and/or tls_cacertfile. The whole idea of the > > debconf questions is to get a minimal configuration working. It is > > not meant to fully configure the package. > > > > Thanks. I will consider removing the SSL/TLS related warnings since > > this is a common configuration that seems to be working for most > > users. > > If its a common configuration and the idea of the debconf questions is > to get a minimal configuration working, perhaps only a question to > activate that option (without the tls_cacertdir/tls_cacertfile if its > too much work)? I've been thinking a bit about this and this only works for ldaps:// connections and not when using StartTLS (which seems to be the preferred method of operation by the OpenLDAP guys). For that to work you also have to add "ssl start_tls" to the config (which would turn into another debconf question). The alternative would be to add a note to the URI debconf question to point out that for SSL more needs to be configured manually. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
