> -----Original Message----- > From: Giuseppe Sacco [mailto:[EMAIL PROTECTED] > Sent: Saturday, March 03, 2007 4:58 AM > To: Jamie ffolliott > Cc: Steve Langasek; [EMAIL PROTECTED] > Subject: Bug#407746: libpam-ldap upgrade breaks pam_ldap.conf > and can't login > > Hi Jamie, > > Il giorno lun, 26/02/2007 alle 17.02 -0500, Jamie ffolliott > ha scritto: > [...] > > The issue that forces manual editing is that: the package wants to > > maintain the libpam-ldap.conf, and will not allow me to specify a > > "uri" setting to speak to the ldap server via ldaps://. There are > > almost always other types of changes one needs to make to > the .conf, > > so debconf will never be the only thing writing this file. > > > > Alternatively, allow configuration of the "uri" setting > using debconf, > > or simply convert to using the "uri" setting instead of > "host" since > > it is more flexible. > > I still cannot reproduce your problem: when debconf prompts > you for a host, you may type a complete URI. The package > script will recognise it as a URI and will write correctly > the URI line instead of the HOST one. > > For instance, I use this as answer to "LDAP Server host": > ldapi://%2fvar%2frun%2fslapd%2fldapi/ > > It a perfect valid URI to connect to a local LDAP server via ldapi://
Well, who would have known! ;) The URI does work in the host field (mostly, see below). Can you please mention that information on the debconf screen, about a URI being valid? It is asking for a "Host, or preferably an IP address". I entered: ldaps://myldap.host.com/ And that edited pam_ldap.conf as so, changing this section: # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator uri ldaps://myldap.host.com/ to this: # Another way to specify your LDAP server is to provide an uri ldaps://myldap.host.com/ # Unix Domain Sockets to connect to a local LDAP Server. #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator uri ldaps://myldap.host.com/ So notice that the package is looking for the first "uri", which is found in a textual comment in the default pam_ldap.conf, and replacing that line, but leaving any other "uri" settings below it enabled, so we can end up with multiple entries. I imagine the one that takes effect in pam is the last one, so the one debconf wrote would not be used. The same happened to me for "host", producing multiple entries. I'll suggest an improvement: A) search for the first "Uri" that is uncommented, and re-write that one. A regex should do the trick, like "^[ ]*uri .*". If none is found, then add a new line at the end of the uri stanza. Ie. B) Find the first "^[# ]*uri .*", then C) find the next blank line "^$", and D) insert a new line there with the uri setting. > Would you please give it a try? It should be the first > question asked by debconf. If this does not work for you, > please send me your /etc/pam_ldap.conf, so I could try again > to reproduce the problem. > > > uri ldap://hostname > > > > is equivalent to > > > > host hostname > > port 389 > > > > The other issue is that you store a sensitive password > (allowing write > > to the ldap directory) in debconf, without appropriate encryption - > > that stuff should generally not be stored and used to overwrite the > > pam_ldap.secret file. I'd prefer if it asked for the > password once on > > initial install, and never touched it again, or at the very minimum > > should prompt each time before overwriting it. > > This is how the current package behave. If you provide a > password, then it store this password in debconf database, > the save it to the file in /etc, then delete the password > from debconf database. > If you do not type any password and the file secret already > exists, then the old one is used without storing it in > debconf database. Ok then, I verified this works in the latest package. Thank you. > It seems to me that you are using an old version of the > package. Would you please try the version currently in > unstable or the one I sent you? It's the one you sent me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
