Re: Request for review
Arthur de Jong wrote:
> (please keep me in Cc because I'm not subscribed to the list)
> Template: libnss-ldapd/ldap-uris
> Please enter the Uniform Resource Identifier of the LDAP server. The format
> is 'ldap://<hostname_or_IP>:<port>/'. Alternatively, 'ldaps://' or 'ldapi://'
> can be used. The port number is optional.
> When using an ldap or ldaps scheme it is recommended to use an IP address to
> avoid failures when domain name services are unavailable.
(The reference to "ldap or ldaps scheme" specifically means the URI
prefix, so lowercase is correct. Likewise in later templates where
"ldap" means the string that goes in nsswitch.conf.)
> Template: libnss-ldapd/ldap-binddn
> If the LDAP database requires a login for normal lookups, enter the name of
> the account that will be used here. Leave empty otherwise.
Full sentences: s/Leave empty/Leave it empty/
> Template: libnss-ldapd/ldap-reqcert
> When an encrypted connection is used a server certificate can be requested
> and checked. This option determines whether the server should provide a
> certificate and whether the certificate should be checked for validity.
> * never: no certificate will be requested or checked
> * allow: a certificate will be requested but it is not
> required or checked
> * try: a certificate will be requested and checked but if no
> certificate is provided it is ignored
> * demand: a certificate will be requested, required and checked
> Note that at least one of the tls_cacertdir or tls_cacertfile options should
> be put in /etc/nss-ldapd.conf if certificate checking is enabled.
This is configuring how NSS lookups should behave, but saying that
it "determines whether the server should..." makes it sound as if
you're configuring the LDAP server. I'd suggest something like:
When an encrypted connection is used, a server certificate can be requested
and checked. Please choose whether lookups should be configured to require
a certificate, and whether certificates should be checked for validity:
* never: no certificate will be requested or checked;
* allow: a certificate will be requested, but it is not
required or checked;
* try: a certificate will be requested and checked, but if no
certificate is provided it is ignored;
* demand: a certificate will be requested, required, and checked.
If certificate checking is enabled, at least one of the tls_cacertdir or
tls_cacertfile options must be put in /etc/nss-ldapd.conf.
(This has some minor punctuation changes, too.)
> Template: libnss-ldapd/nsswitch
> You can select the services that should be enabled or disabled for LDAP
> lookups. The new LDAP lookups will be added as last option. Be sure to review
> these changes.
I'm not keen on this phrasing. It isn't the services themselves
that are "enabled or disabled", and you shouldn't "select" the ones
you want to have LDAP lookups disabled.
You can select the services that should have LDAP lookups enabled. The
new LDAP lookups will be added as the last datasource. Be sure to review
> Template: libnss-ldapd/clean_nsswitch
> Type: boolean
> Default: false
> _Description: Remove LDAP from nsswitch.conf now?
> LDAP is still configured for name lookups for the following services:
> but the libnss-ldapd package is about to be removed.
Shouldn't that be:
The following services are still configured to use LDAP for lookups:
> You can edit /etc/nsswitch.conf by hand or chose to remove the entries
> automatically now. Be sure to review the changes to /etc/nsswitch.conf if you
> chose to remove the entries now.
An orthographic boobytrap: s/chose/choose/ throughout.
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package