Arthur de Jong <adej...@debian.org> writes:
[...] > I did notice that you have a separate ldap-sasl and ldap-sasl-mech > question. I think it would be nicer (to follow the change in > configuration to get rid of use_sasl) to have only one question which > asks about the mechanism with a value of "No SASL" or something > equivalent. > > I think it is a good idea to keep the te debconf questions close to > configuration options. This is probably also clearer to the user and > limits the number of questions. Ok, I'll follow your advices, and send a new version of the patch. > Perhaps it is also a good idea to move the password question after the > SASL one or maybe even move the binddn question after SASL. If we keep > the binddb question before SASL is it safe to skip the SASL question if > the binddn is empty (is there any reasonable configuration with an empty > binddn while using SASL)? binddn is not used with SASL, authentication is done with: - ticket cache information for Kerberos - authcid for LOGIN, PLAIN, *-MD5 Here is a log for a working PLAIN authentication: --8<---------------cut here---------------start------------->8--- nslcd: [3c9869] DEBUG: ldap_initialize(ldap://192.168.122.4) nslcd: [3c9869] DEBUG: ldap_set_rebind_proc() nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_X_SASL_SECPROPS,"noanonymous") nslcd: [3c9869] DEBUG: ldap_sasl_interactive_bind_s(NULL,"PLAIN") (uri="ldap://192.168.122.4";) nslcd: [3c9869] DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any nslcd: [3c9869] DEBUG: do_sasl_interact(): returning sasl_authcid "dad" nslcd: [3c9869] DEBUG: do_sasl_interact(): returning bindpw "***" nslcd: [3c9869] DEBUG: ldap_result(): end of results --8<---------------cut here---------------end--------------->8--- Commenting binddn, bindpw, authcid and authzid: --8<---------------cut here---------------start------------->8--- nslcd: [8b4567] DEBUG: ldap_sasl_interactive_bind_s(NULL,"PLAIN") (uri="ldap://192.168.122.4";) nslcd: [8b4567] DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any nslcd: [8b4567] DEBUG: do_sasl_interact(): were asked for sasl_authcid but we don't have any nslcd: [8b4567] DEBUG: do_sasl_interact(): were asked for bindpw but we don't have any --8<---------------cut here---------------end--------------->8--- Using binddn and bindpw: --8<---------------cut here---------------start------------->8--- nslcd: [8b4567] DEBUG: ldap_sasl_interactive_bind_s("uid=daniel,ou=users,dc=baby-gnu,dc=org","PLAIN") (uri="ldap://192.168.122.4";) nslcd: [8b4567] DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any nslcd: [8b4567] DEBUG: do_sasl_interact(): were asked for sasl_authcid but we don't have any nslcd: [8b4567] DEBUG: do_sasl_interact(): returning bindpw "***" --8<---------------cut here---------------end--------------->8--- So, binddn or SASL and bindpw used for both. Regards. -- Daniel Dehennin Récupérer ma clef GPG: gpg --keyserver pgp.mit.edu --recv-keys 0x6A2540D1
pgp9Zh8D1fO3k.pgp
Description: PGP signature
