[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFR] templates://libpam-ldap/{templates}



Christian Perrier wrote:
>>>  Template: libpam-ldap/rootbinddn
>[...]
>> The best sense I can make of all this is that it's trying to say:
>>
>>  _Description: LDAP administrative account:
>>   Please enter the name of the LDAP account that should be created with
>>   administrative privileges (required for write-access to the database).
> 
> No, it is not created. It has to exist already.

And when it says "This account has to be a privileged account", does
that mean it must _already_ have the appropriate privileges, or is
it warning that the nominated account will necessarily be _granted_
write access?  I'm going to guess the latter.

Oh, and I assume the "unprivileged database user" that
libpam-ldap/binddn asks for is also one that must exist already.

>>>  Template: libpam-ldap/rootbindpw
>> [...]
>>>  _Description: LDAP root account password:
>>>   Please enter the password to use when ${package} tries to
>>>   login to the LDAP directory using the LDAP account for root.
>> 
>> "To log in", verb.  But... what's going on?  Packages have logins?
>> If "the LDAP account for root" is the one I just named, it would be
>> helpful if it would remember and use that name...
> 
> This is the one that got just named.

But what's ${package}, and why is it trying to log in?

Looking at libpam-ldap/dbrootlogin again:

>>> _Description: Allow LDAP admin account to behave like local root?

This seems an odd way of putting it.  "Behaving like root" may seem
synonymous with "managing local accounts" to an LDAP developer, but
root does a lot of other things (rarely including account-management
in these days of sudo...) - should it perhaps say:

    _Description: Allow management of local user accounts from LDAP?

(That's not in my patch.)
-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package
--- ../libpam-ldap-184.pristine/debian/templates	2009-05-15 09:24:29.000000000 +0100
+++ debian/templates	2009-05-20 12:00:31.000000000 +0100
@@ -1,37 +1,41 @@
 Template: libpam-ldap/rootbinddn
 Type: string
 Default: cn=manager,dc=example,dc=net
-_Description: LDAP account for root:
- This account will be used when root changes a password.
+_Description: LDAP administrative account:
+ Please enter the name of the LDAP administrative account.
  .
- Note: This account has to be a privileged account.
+ This account will be used automatically for database management, so
+ it will be granted the appropriate privileges.
 
 Template: libpam-ldap/rootbindpw
 Type: password
-_Description: LDAP root account password:
- Please enter the password to use when ${package} tries to
- login to the LDAP directory using the LDAP account for root.
+#flag:comment:3
+# Translators: do not translate "${filename}"
+_Description: LDAP administrative password:
+ Please enter the password of the administrative account.
+ .
+ The password will be stored in the file ${filename}.
+ This will be made readable to root only, and will allow ${package}
+ to carry out automatic database management logins.
  .
- The password will be stored in a separate file ${filename}
- which will be made readable to root only.
- .
- Entering an empty password will re-use the old password.
+ If this field is left empty, the previously stored password will
+ be re-used.
 
 Template: libpam-ldap/dblogin
 Type: boolean
 Default: false
 _Description: Does the LDAP database require login?
- Choose this option if you can't retrieve entries from
- the database without logging in.
+ Please choose whether the LDAP server should enforce a login before
+ retrieving entries.
  .
- Note: Under a normal setup, this is not needed.
+ Such a setup is not usually needed.
 
 Template: shared/ldapns/base-dn
 Type: string
 Default: dc=example,dc=net
 _Description: Distinguished name of the search base:
- Please enter the distinguished name of the LDAP search base.  Many sites
- use the components of their domain names for this purpose.  For example,
+ Please enter the distinguished name of the LDAP search base. Many sites
+ use the components of their domain names for this purpose. For example,
  the domain "example.net" would use "dc=example,dc=net" as the
  distinguished name of the search base.
 
@@ -39,81 +43,74 @@
 Type: select
 __Choices: clear, crypt, nds, ad, exop, md5
 Default: crypt
-_Description: Local crypt to use when changing passwords.
- The PAM module can set the password crypt locally when changing the
- passwords, this is usually a good choice. By setting this to something
- else than clear you are making sure that the password gets crypted in some
- way.
- .
- The meanings for selections are:
- .
- clear - Don't set any encryptions, this is useful with servers that
- automatically encrypt userPassword entry.
- .
- crypt - (Default) make userPassword use the same format as the flat
- filesystem. this will work for most configurations
- .
- nds - Use Novell Directory Services-style updating, first remove the old
- password and then update with cleartext password.
- .
- ad - Active Directory-style. Create Unicode password and update unicodePwd
- attribute
- .
- exop - Use the OpenLDAP password change extended operation to update the
- password.
+_Description: Local encryption algorithm to use for passwords:
+ The PAM module can encrypt the password locally when changing it,
+ which is recommended:
+  * clear: no encryption. This should be chosen when LDAP servers
+    automatically encrypt the userPassword entry;
+  * crypt: make userPassword use the same format as the flat
+    local password database. If in doubt, you should choose this option;
+  * nds: use Novell Directory Services-style updating. The old
+    password is first removed, then updated;
+  * ad: Active Directory-style. This creates a Unicode password and
+    updates the unicodePwd attribute;
+  * exop: use the OpenLDAP password change extended operation to update the
+    password.
 
 Template: shared/ldapns/ldap_version
 Type: select
 Choices: 3, 2
 Default: 3
 _Description: LDAP version to use:
- Please enter which version of the LDAP protocol should be used by
- ldapns.  It is usually a good idea to set this to the highest
- available version number.
+ Please choose the version of the LDAP protocol that should be used by
+ ldapns. Using the highest available version number is recommended.
 
 Template: libpam-ldap/binddn
 Type: string
 Default: cn=proxyuser,dc=example,dc=net
-_Description: Unprivileged database user:
- Please enter the name of the account that will be used to log in to the LDAP
- database.
- .
- Warning: DO NOT use privileged accounts for logging in, the configuration
- file has to be world readable.
+_Description: LDAP login user account:
+ Please enter the name of the LDAP account that should be used for
+ non-administrative (read-only) database logins.
+ .
+ It is highly recommended to use an unprivileged account, because
+ the configuration file that contains the account name and password
+ must be world-readable.
 
 Template: libpam-ldap/dbrootlogin
 Type: boolean
 Default: true
-_Description: Make local root Database admin.
- This option will allow you to make password utilities that use pam, to
- behave like you would be changing local passwords.
+_Description: Allow LDAP admin account to behave like local root?
+ This option will allow password utilities that use PAM to
+ change local passwords.
  .
- The password will be stored in a separate file which will be made
+ The LDAP admin account password will be stored in a separate file which will be made
  readable to root only.
  .
- If you are using NFS mounted /etc or any other custom setup, you should
- disable this.
+ If /etc is mounted by NFS, this option should be disabled.
 
 Template: shared/ldapns/ldap-server
 Type: string
 Default: ldapi:///
-_Description: LDAP server Uniform Resource Identifier:
- Please enter the URI of the LDAP server used. This is a string in the
- form ldap://<hostname or IP>:<port>/ . ldaps:// or ldapi:// can also
- be used. The port number is optional.
+_Description: LDAP server URI:
+ Please enter the Uniform Resource Identifier of the LDAP server.
+ The format is 'ldap://<hostname_or_IP>:<port>/'. Alternatively,
+ 'ldaps://' or 'ldapi://' can be used. The port number is optional.
  .
- Note: It is usually a good idea to use an IP address; this reduces risks
- of failure in the event name service is unavailable.
+ Using an IP address is recommended to avoid failures when
+ domain name services are unavailable.
 
 Template: libpam-ldap/bindpw
 Type: password
-_Description: Password for database login account:
- Please enter the password that will be used to log in to the LDAP database.
+_Description: Password for LDAP login user:
+ Please enter the password for the nonadministrative LDAP login account.
 
 Template: libpam-ldap/override
 Type: boolean
 Default: true
-_Description: Make debconf change your config?
- libpam-ldap has been moved to use debconf for its configuration. Should
- the settings in debconf be applied to the configuration?  Package
- upgrades will use your answer here going forward.
+_Description: Manage libpam-ldap configuration automatically?
+ The libpam-ldap package configuration may be managed automatically
+ using answers to questions asked during the configuration process.
+ The resulting configuration file may overwrite local changes.
+ .
+ If you do not choose this option, no further questions will be asked
+ and the configuration will need to be done manually.
Template: libpam-ldap/rootbinddn
Type: string
Default: cn=manager,dc=example,dc=net
_Description: LDAP administrative account:
 Please enter the name of the LDAP administrative account.
 .
 This account will be used automatically for database management, so
 it will be granted the appropriate privileges.

Template: libpam-ldap/rootbindpw
Type: password
#flag:comment:3
# Translators: do not translate "${filename}"
_Description: LDAP administrative password:
 Please enter the password of the administrative account.
 .
 The password will be stored in the file ${filename}.
 This will be made readable to root only, and will allow ${package}
 to carry out automatic database management logins.
 .
 If this field is left empty, the previously stored password will
 be re-used.

Template: libpam-ldap/dblogin
Type: boolean
Default: false
_Description: Does the LDAP database require login?
 Please choose whether the LDAP server should enforce a login before
 retrieving entries.
 .
 Such a setup is not usually needed.

Template: shared/ldapns/base-dn
Type: string
Default: dc=example,dc=net
_Description: Distinguished name of the search base:
 Please enter the distinguished name of the LDAP search base. Many sites
 use the components of their domain names for this purpose. For example,
 the domain "example.net" would use "dc=example,dc=net" as the
 distinguished name of the search base.

Template: libpam-ldap/pam_password
Type: select
__Choices: clear, crypt, nds, ad, exop, md5
Default: crypt
_Description: Local encryption algorithm to use for passwords:
 The PAM module can encrypt the password locally when changing it,
 which is recommended:
  * clear: no encryption. This should be chosen when LDAP servers
    automatically encrypt the userPassword entry;
  * crypt: make userPassword use the same format as the flat
    local password database. If in doubt, you should choose this option;
  * nds: use Novell Directory Services-style updating. The old
    password is first removed, then updated;
  * ad: Active Directory-style. This creates a Unicode password and
    updates the unicodePwd attribute;
  * exop: use the OpenLDAP password change extended operation to update the
    password.

Template: shared/ldapns/ldap_version
Type: select
Choices: 3, 2
Default: 3
_Description: LDAP version to use:
 Please choose the version of the LDAP protocol that should be used by
 ldapns. Using the highest available version number is recommended.

Template: libpam-ldap/binddn
Type: string
Default: cn=proxyuser,dc=example,dc=net
_Description: LDAP login user account:
 Please enter the name of the LDAP account that should be used for
 non-administrative (read-only) database logins.
 .
 It is highly recommended to use an unprivileged account, because
 the configuration file that contains the account name and password
 must be world-readable.

Template: libpam-ldap/dbrootlogin
Type: boolean
Default: true
_Description: Allow LDAP admin account to behave like local root?
 This option will allow password utilities that use PAM to
 change local passwords.
 .
 The LDAP admin account password will be stored in a separate file which will be made
 readable to root only.
 .
 If /etc is mounted by NFS, this option should be disabled.

Template: shared/ldapns/ldap-server
Type: string
Default: ldapi:///
_Description: LDAP server URI:
 Please enter the Uniform Resource Identifier of the LDAP server.
 The format is 'ldap://<hostname_or_IP>:<port>/'. Alternatively,
 'ldaps://' or 'ldapi://' can be used. The port number is optional.
 .
 Using an IP address is recommended to avoid failures when
 domain name services are unavailable.

Template: libpam-ldap/bindpw
Type: password
_Description: Password for LDAP login user:
 Please enter the password for the nonadministrative LDAP login account.

Template: libpam-ldap/override
Type: boolean
Default: true
_Description: Manage libpam-ldap configuration automatically?
 The libpam-ldap package configuration may be managed automatically
 using answers to questions asked during the configuration process.
 The resulting configuration file may overwrite local changes.
 .
 If you do not choose this option, no further questions will be asked
 and the configuration will need to be done manually.

Reply to: