On Mon, Jun 01, 2009 at 02:54:13PM +0200, Arthur de Jong wrote: > On Sun, 2009-05-24 at 14:22 -0300, Rodrigo Campos wrote: > > What is weird is that I have all options commented in /etc/ldap.conf > > and I have no ~/.ldaprc. > > On Sun, 2009-05-24 at 14:34 -0300, Rodrigo Campos wrote: > > I meant /etc/ldap/ldap.conf (I dont have a /etc/ldap.conf file) > > > > And now that I check, I do have "tls_checkpeer no" > > in /etc/pam_ldap.conf, perhaps that file was parsed too ? > > This file shouldn't be parsed as far as I know. You can try to start the > old nslcd with: > strace -f -o /tmp/strace.log nslcd -d > and have a look in the logfile to see which files are opened.
I will try tomorrow, I'm not in that computer right now. > > > Any idea why this was working with 0.6.7.1 ? Should I look for other > > used environment variables ? > > I'm a bit puzzled by this. If there is nothing in the environment and > nothing in any config file I can't imagine what would be different. > > > > Any suggestions on to how to handle this on upgrading are welcome. > > > > Would be too much work to parse the files that are not parsed anymore > > and warn about the options that would be disabled ? (although this is > > not what happened to me or I didn't check right :) Perhaps its not > > worthless? > > The problem here is that this can get very complex quickly. You have to > parse /root/.ldaprc, /etc/ldap/ldap.conf and /etc/nss-ldapd.conf and > handle options that are overridden. Also the configuration files may > contain more options than are actually used or useful. Yeah. Perhaps just saying which files were parsed that are not parsed anymore is more easy and gives the user some places to find which option could be missing ? > > > > Well, it is possible to have a working installation but not with > > > SSL/TLS and tls_reqcert something other than the default (which is > > > demand according to the ldap.conf(5) manual page). > > > > > > Perhaps another debconf question is in order when using SSL/TLS. > > > What do you think? > > > > > > The problem with that approach is that you probably also have to ask > > > for tls_cacertdir and/or tls_cacertfile. The whole idea of the > > > debconf questions is to get a minimal configuration working. It is > > > not meant to fully configure the package. > > > > > > Thanks. I will consider removing the SSL/TLS related warnings since > > > this is a common configuration that seems to be working for most > > > users. > > > > If its a common configuration and the idea of the debconf questions is > > to get a minimal configuration working, perhaps only a question to > > activate that option (without the tls_cacertdir/tls_cacertfile if its > > too much work)? > > I've been thinking a bit about this and this only works for ldaps:// > connections and not when using StartTLS (which seems to be the preferred > method of operation by the OpenLDAP guys). For that to work you also > have to add "ssl start_tls" to the config (which would turn into another > debconf question). > > The alternative would be to add a note to the URI debconf question to > point out that for SSL more needs to be configured manually. Sounds ok :) Sorry for the delay, I dont know how I did not notice the email. Thanks a lot, Rodrigo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
