Hi everyone. I've been setting up LDAP in Ubuntu lately, and have run
headlong into this issue again.
Arguably, the situation has gotten worse in the past three years, as the
dependency rat's nest has become more convoluted.
I've put together a new visual aid to illustrate the current situation;
it is attached. Here's how to interpret it:
* As before, solid-line arrows represent Depends: or Pre-Depends:
* Dashed-line arrows represent Recommends:
* I've represented alternatives ("either X or Y") with diamond-shaped nodes
(Note that the alternatives in this graph are due to Provides: fields in
lib{nss,pam}-ldapd, not the usual "|" syntax in Depends:)
Here's what I would like to see changed:
1. Rename the "ldap-auth-config" package to "ldap-config" (just as you
suggested in 2013, Robie; that's my exact reasoning as well)
2. Weaken the dependency on auth-client-config. This utility is (1)
confusing and poorly documented; (2) not necessary when nslcd is
installed, because that package has its own logic to modify
/etc/nsswitch.conf, and (3) dependent on Python, which means that if you
setup LDAP on a minimal install, you're pulling in all of Python just to
run a script that you likely don't even need.
3. Remove (or at least weaken) the dependency on ldap-auth-client. This
is a metapackage for LDAP authentication. Not only is it inappropriate
for ldap[-auth]-config to depend on this, given that an LDAP config does
not necessarily exist for authentication purposes, a task-specific
metapackage like this should be at the top of the dependency graph
because it is meant to be directly/explicitly installed by a user.
4. Add a dependency (probably Recommends:) from libpam-ldapd and libnss-
ldapd to ldap[-auth]-config, just as libnss-ldap already has. These
components require an LDAP config to function, so that is reasonable to
express in this way.
5. Weaken the dependency from libpam-ldap to ldap[-auth]-config, to be
consistent with the same dependency from libnss-ldap.
6. Kill the Recommends: from libnss-ldap to libpam-ldap. There's
absolutely no reason for that to be there; using LDAP for NSS in no way
implies using it for authentication.
7. Weaken the dependencies on nslcd, because that daemon is not strictly
required for lib{nss,pam}-ldapd to function (although it certainly
helps). Better yet, replace these with a Recommends: from
ldap[-auth]-config, because nslcd can benefit anything that uses
/etc/ldap.conf for NSS purposes (primarily all of lib{nss,pam}-ldap{,d})
and one dependency is better than multiple.
Comments, thoughts?
** Attachment added: "Dependency graph"
https://bugs.launchpad.net/ubuntu/+source/libnss-ldap/+bug/334374/+attachment/4648714/+files/ldap-deps.png
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/334374
Title:
libnss-ldap should not depend on libpam-ldap
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ldap-auth-client/+bug/334374/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
