tags 591773 + pending thanks On Thu, 2010-08-05 at 15:18 +0200, Petter Reinholdtsen wrote: > I ran into this problem with Debian Edu, where we use LDAP and > Kerberos together. When installing Debian Edu using debian-installer, > both libpam-ldapd and libpam-krb5 is installed, causing the PAM > configuration to be set up with both LDAP and Kerberos authentication, > when we only want to use Kerberos. > > Would it be OK to change the recommend in nslcd on libpam-ldapd to a > suggests, or perhaps change it to something like this: > > Recommends: nscd, libnss-ldapd, libpam-ldapd | libpam-krb5 | libpam-sss
I've merged the recommends from both libnss-ldapd and libpam-ldapd into those of nslcd. Since both packages depend on nslcd this should accomplish the same thing and keep the list of PAM alternatives in one place. > I would like to have libpam-sss listed there too, as we experiment > with libpam-sss on roaming workstations and do not want libpam-ldapd > on that profile either. :) It has been added to the list. nslcd now has: Recommends: nscd, libnss-ldapd | libnss-ldap, libpam-ldapd | libpam-ldap | libpam-krb5 | libpam-heimdal | libpam-sss So you are using the nss-pam-ldapd NSS module and sss for PAM? Is this a reasonable configuration (since sss also provides an NSS module)? > A more scalable solution might be to introduce a virtual package for > pam modules providing authentication (say pam-authentication), and use > > Recommends: nscd, libnss-ldapd, libpam-ldapd | pam-authentication I'm not sure this will work because sometimes you may want to have different PAM modules do authentication for different users (e.g. some users come from LDAP, some from /etc/passwd, some from Samba). For libnss-ldapd we are only interested in PAM modules that do authentication for users in LDAP so at the very least pam-authentication is too broad. Since squeeze is already frozen I don't think this is the time for such a change. Anyway, thanks for pointing this out. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
