Please find, for review, the debconf templates and packages descriptions for the libpam-ldap source package. This review will last from Tuesday, May 19, 2009 to Friday, May 29, 2009. Please send reviews as unified diffs (diff -u) against the original files. Comments about your proposed changes will be appreciated. Your review should be sent as an answer to this mail. When appropriate, I will send intermediate requests for review, with "[RFRn]" (n>=2) as a subject tag. When we will reach a consensus, I send a "Last Chance For Comments" mail with "[LCFC]" as a subject tag. Finally, the reviewed templates will be sent to the package maintainer as a bug report, and a mail will be sent to this list with "[BTS]" as a subject tag. Rationale: --- libpam-ldap.old/debian/templates 2009-02-14 12:19:34.483870281 +0100 +++ libpam-ldap/debian/templates 2009-05-15 07:35:28.487557065 +0200 @@ -2,36 +2,40 @@ Type: string Default: cn=manager,dc=example,dc=net _Description: LDAP account for root: - This account will be used when root changes a password. + Please enter the LDAP account that will be used when the local + root account for this machine changes a password. We generally discourage "linking" the synopsis and the long description. Sometimes, the long description comes before, some other times, it comes after the synopsis...and sometimes even, it is not directly shown to users. The "Please enter" trick better copes with all these situations. Mention that "the root account" is the local one. One could argue that the "root account" doesn't actually change passwords...this is rather the person using it ... . - Note: This account has to be a privileged account. + This account has to be a privileged account. We often discourage "Note" as this doesn't really add much information. Template: libpam-ldap/rootbindpw Type: password +#flag:comment:3 +# Translators: do not translate "${filename}" The comment will appear for the second paragraph of the synopsis. Sometimes translators do such mistake. _Description: LDAP root account password: Please enter the password to use when ${package} tries to login to the LDAP directory using the LDAP account for root. . - The password will be stored in a separate file ${filename} + The password will be stored in a separate file (${filename}) which will be made readable to root only. ${filename} should either be parenthesized or put between commas. . - Entering an empty password will re-use the old password. + If that field is left empty, the previously stored password will + be re-used. Clearer (imho). This is not exactly entering an empty password as the final password turns out to be non empty, but the former one. Template: libpam-ldap/dblogin Type: boolean Default: false _Description: Does the LDAP database require login? - Choose this option if you can't retrieve entries from - the database without logging in. + Please choose whether the LDAP server enforces a login before + retrieving entries. Our standard recommendation in such situations . - Note: Under a normal setup, this is not needed. + Such setup is unusual and therefore unneeded in most situations. Drop "Note:" and put a slightly stronger formulation. Template: shared/ldapns/base-dn Type: string Default: dc=example,dc=net _Description: Distinguished name of the search base: - Please enter the distinguished name of the LDAP search base. Many sites - use the components of their domain names for this purpose. For example, - the domain "example.net" would use "dc=example,dc=net" as the + Please enter the distinguished name of the LDAP search base. Many sites + use the components of their domain names for this purpose. For example, - the domain 'example.net' would use 'dc=example,dc=net' as the distinguished name of the search base. Drop double spaces (overall consistency among packages) Use single quotes (the 'standard' we finally settled upon) @@ -39,81 +43,74 @@ Type: select __Choices: clear, crypt, nds, ad, exop, md5 Default: crypt -_Description: Local crypt to use when changing passwords. - The PAM module can set the password crypt locally when changing the - passwords, this is usually a good choice. By setting this to something - else than clear you are making sure that the password gets crypted in some - way. - . - The meanings for selections are: - . - clear - Don't set any encryptions, this is useful with servers that - automatically encrypt userPassword entry. - . - crypt - (Default) make userPassword use the same format as the flat - filesystem. this will work for most configurations - . - nds - Use Novell Directory Services-style updating, first remove the old - password and then update with cleartext password. - . - ad - Active Directory-style. Create Unicode password and update unicodePwd - attribute - . - exop - Use the OpenLDAP password change extended operation to update the - password. +_Description: Local encryption algorithm to use for passwords: + The PAM module can encrypt the password locally when changing it, + which is recommended: + * clear: no encryption. This should be chosen when LDAP servers + automatically encrypt the userPassword entry; + * crypt: make userPassword use the same format as the flat + local password database. If in doubt, you should choose this option; + * nds: use Novell Directory Services-style updating. The old + password is first removed, then updated; + * ad: Active Directory-style. This creates a Unicode password and + updates the unicodePwd attribute; + * exop: use the OpenLDAP password change extended operation to update the + password. "Local crypt"....is cryptic to me..:-) Shorten the first paragraph "the" userPassword entry: "the" seems mandatory to me here. Other changes are personal taste crypt: avoid mentioning "default". In some situations (for instance with preseeding debconf) that could be wrong. Users will see this is the default, anyway..:). The format is not in the local file system, but rather in the local password database ad and exop: cosmetic changes Avoid too many paragraphs. That makes the template not fit on one screen (with my version, it probably doesn't as well, but at least the long description does). Use asterisks as standard for enumerations). Template: shared/ldapns/ldap_version Type: select Choices: 3, 2 Default: 3 _Description: LDAP version to use: - Please enter which version of the LDAP protocol should be used by - ldapns. It is usually a good idea to set this to the highest - available version number. + Please choose the version of the LDAP protocol that should be used by + ldapns. Using the highest available version number is recommended. In such case, we *choose* the protocol version (imho). Use "<foo> is recommended" instead of "It is a good idea to do <foo>" Template: libpam-ldap/binddn Type: string Default: cn=proxyuser,dc=example,dc=net _Description: Unprivileged database user: - Please enter the name of the account that will be used to log in to the LDAP + Please enter the name of the account that will be used to login to the LDAP database. Justin will confirm (or not). I think this is debated but, in that case, the presence of "to" makes the two words version look strange. . - Warning: DO NOT use privileged accounts for logging in, the configuration - file has to be world readable. + It is highly recommended to use an unprivileged account because + the configuration file that contains that account name and password + has to be world-readable. Don't yell and just give facts. Template: libpam-ldap/dbrootlogin Type: boolean Default: true -_Description: Make local root Database admin. - This option will allow you to make password utilities that use pam, to - behave like you would be changing local passwords. +_Description: Allow LDAP admin account to behave like local root? + This option will allow password utilities that use PAM to + change local passwords. This is a boolean template, so the synopsis has to be a question. Simplify the sentence that was (imho) awkward. . - The password will be stored in a separate file which will be made + The LDAP admin account password will be stored in a separate file which will be made readable to root only. Specify what password we're talking about... . - If you are using NFS mounted /etc or any other custom setup, you should - disable this. + If /etc is mounted by NFS, this option should be disabled. Template: shared/ldapns/ldap-server Type: string Default: ldapi:/// -_Description: LDAP server Uniform Resource Identifier: - Please enter the URI of the LDAP server used. This is a string in the - form ldap://<hostname or IP>:<port>/ . ldaps:// or ldapi:// can also - be used. The port number is optional. +_Description: LDAP server URI: + Please enter the Uniform Resource Identifier of the LDAP server. + The format is 'ldap://<hostname_or_IP>:<port>/'. Alternatively, + 'ldaps://' or 'ldapi://' can be used. The port number is optional. "URI" is never defined before, so let's avoid jargon. Simplify other sentences and avoid starting with "ldaps://". . - Note: It is usually a good idea to use an IP address; this reduces risks - of failure in the event name service is unavailable. + Using an IP address is recommended to avoid failures when + domain name services are unavailable. Sams comments than above. Template: libpam-ldap/bindpw Type: password _Description: Password for database login account: - Please enter the password that will be used to log in to the LDAP database. + Please enter the password that will be used to login to the LDAP database. Ditto Template: libpam-ldap/override Type: boolean Default: true -_Description: Make debconf change your config? - libpam-ldap has been moved to use debconf for its configuration. Should - the settings in debconf be applied to the configuration? Package - upgrades will use your answer here going forward. +_Description: Manage libpam-ldap configuration automatically? + The libpam-ldap package configuration may be managed automatically + from answers to questions asked during the configuration process. + The resulting configuration file may overwrite local changes. + . + If you do not choose this option, no further questions will be asked + and the configuration has to be done manually. It is discouraged to make direct references to debconf (another tool could exist to do the same job). The recommended wording goes around "automatic configurration" and the like. That more or less leads to a complete rewrite of the template. Avoid leading lowercase from the package name by using the "The package <foo>" trick PS: I found nothing to change in the package's description in debian/control --
Template: libpam-ldap/rootbinddn Type: string Default: cn=manager,dc=example,dc=net _Description: LDAP account for root: Please enter the LDAP account that will be used when the local root account for this machine changes a password. . This account has to be a privileged account. Template: libpam-ldap/rootbindpw Type: password #flag:comment:3 # Translators: do not translate "${filename}" _Description: LDAP root account password: Please enter the password to use when ${package} tries to login to the LDAP directory using the LDAP account for root. . The password will be stored in a separate file (${filename}) which will be made readable to root only. . If that field is left empty, the previously stored password will be re-used. Template: libpam-ldap/dblogin Type: boolean Default: false _Description: Does the LDAP database require login? Please choose whether the LDAP server enforces a login before retrieving entries. . Such setup is unusual and therefore unneeded in most situations. Template: shared/ldapns/base-dn Type: string Default: dc=example,dc=net _Description: Distinguished name of the search base: Please enter the distinguished name of the LDAP search base. Many sites use the components of their domain names for this purpose. For example, the domain 'example.net' would use 'dc=example,dc=net' as the distinguished name of the search base. Template: libpam-ldap/pam_password Type: select __Choices: clear, crypt, nds, ad, exop, md5 Default: crypt _Description: Local encryption algorithm to use for passwords: The PAM module can encrypt the password locally when changing it, which is recommended: * clear: no encryption. This should be chosen when LDAP servers automatically encrypt the userPassword entry; * crypt: make userPassword use the same format as the flat local password database. If in doubt, you should choose this option; * nds: use Novell Directory Services-style updating. The old password is first removed, then updated; * ad: Active Directory-style. This creates a Unicode password and updates the unicodePwd attribute; * exop: use the OpenLDAP password change extended operation to update the password. Template: shared/ldapns/ldap_version Type: select Choices: 3, 2 Default: 3 _Description: LDAP version to use: Please choose the version of the LDAP protocol that should be used by ldapns. Using the highest available version number is recommended. Template: libpam-ldap/binddn Type: string Default: cn=proxyuser,dc=example,dc=net _Description: Unprivileged database user: Please enter the name of the account that will be used to login to the LDAP database. . It is highly recommended to use an unprivileged account because the configuration file that contains that account name and password has to be world-readable. Template: libpam-ldap/dbrootlogin Type: boolean Default: true _Description: Allow LDAP admin account to behave like local root? This option will allow password utilities that use PAM to change local passwords. . The LDAP admin account password will be stored in a separate file which will be made readable to root only. . If /etc is mounted by NFS, this option should be disabled. Template: shared/ldapns/ldap-server Type: string Default: ldapi:/// _Description: LDAP server URI: Please enter the Uniform Resource Identifier of the LDAP server. The format is 'ldap://<hostname_or_IP>:<port>/'. Alternatively, 'ldaps://' or 'ldapi://' can be used. The port number is optional. . Using an IP address is recommended to avoid failures when domain name services are unavailable. Template: libpam-ldap/bindpw Type: password _Description: Password for database login account: Please enter the password that will be used to login to the LDAP database. Template: libpam-ldap/override Type: boolean Default: true _Description: Manage libpam-ldap configuration automatically? The libpam-ldap package configuration may be managed automatically from answers to questions asked during the configuration process. The resulting configuration file may overwrite local changes. . If you do not choose this option, no further questions will be asked and the configuration has to be done manually.
--- libpam-ldap.old/debian/templates 2009-02-14 12:19:34.483870281 +0100 +++ libpam-ldap/debian/templates 2009-05-19 14:12:28.159656214 +0200 @@ -2,118 +2,115 @@ Type: string Default: cn=manager,dc=example,dc=net _Description: LDAP account for root: - This account will be used when root changes a password. + Please enter the LDAP account that will be used when the local + root account for this machine changes a password. . - Note: This account has to be a privileged account. + This account has to be a privileged account. Template: libpam-ldap/rootbindpw Type: password +#flag:comment:3 +# Translators: do not translate "${filename}" _Description: LDAP root account password: Please enter the password to use when ${package} tries to login to the LDAP directory using the LDAP account for root. . - The password will be stored in a separate file ${filename} + The password will be stored in a separate file (${filename}) which will be made readable to root only. . - Entering an empty password will re-use the old password. + If that field is left empty, the previously stored password will + be re-used. Template: libpam-ldap/dblogin Type: boolean Default: false _Description: Does the LDAP database require login? - Choose this option if you can't retrieve entries from - the database without logging in. + Please choose whether the LDAP server enforces a login before + retrieving entries. . - Note: Under a normal setup, this is not needed. + Such setup is unusual and therefore unneeded in most situations. Template: shared/ldapns/base-dn Type: string Default: dc=example,dc=net _Description: Distinguished name of the search base: - Please enter the distinguished name of the LDAP search base. Many sites - use the components of their domain names for this purpose. For example, - the domain "example.net" would use "dc=example,dc=net" as the + Please enter the distinguished name of the LDAP search base. Many sites + use the components of their domain names for this purpose. For example, + the domain 'example.net' would use 'dc=example,dc=net' as the distinguished name of the search base. Template: libpam-ldap/pam_password Type: select __Choices: clear, crypt, nds, ad, exop, md5 Default: crypt -_Description: Local crypt to use when changing passwords. - The PAM module can set the password crypt locally when changing the - passwords, this is usually a good choice. By setting this to something - else than clear you are making sure that the password gets crypted in some - way. - . - The meanings for selections are: - . - clear - Don't set any encryptions, this is useful with servers that - automatically encrypt userPassword entry. - . - crypt - (Default) make userPassword use the same format as the flat - filesystem. this will work for most configurations - . - nds - Use Novell Directory Services-style updating, first remove the old - password and then update with cleartext password. - . - ad - Active Directory-style. Create Unicode password and update unicodePwd - attribute - . - exop - Use the OpenLDAP password change extended operation to update the - password. +_Description: Local encryption algorithm to use for passwords: + The PAM module can encrypt the password locally when changing it, + which is recommended: + * clear: no encryption. This should be chosen when LDAP servers + automatically encrypt the userPassword entry; + * crypt: make userPassword use the same format as the flat + local password database. If in doubt, you should choose this option; + * nds: use Novell Directory Services-style updating. The old + password is first removed, then updated; + * ad: Active Directory-style. This creates a Unicode password and + updates the unicodePwd attribute; + * exop: use the OpenLDAP password change extended operation to update the + password. Template: shared/ldapns/ldap_version Type: select Choices: 3, 2 Default: 3 _Description: LDAP version to use: - Please enter which version of the LDAP protocol should be used by - ldapns. It is usually a good idea to set this to the highest - available version number. + Please choose the version of the LDAP protocol that should be used by + ldapns. Using the highest available version number is recommended. Template: libpam-ldap/binddn Type: string Default: cn=proxyuser,dc=example,dc=net _Description: Unprivileged database user: - Please enter the name of the account that will be used to log in to the LDAP + Please enter the name of the account that will be used to login to the LDAP database. . - Warning: DO NOT use privileged accounts for logging in, the configuration - file has to be world readable. + It is highly recommended to use an unprivileged account because + the configuration file that contains that account name and password + has to be world-readable. Template: libpam-ldap/dbrootlogin Type: boolean Default: true -_Description: Make local root Database admin. - This option will allow you to make password utilities that use pam, to - behave like you would be changing local passwords. +_Description: Allow LDAP admin account to behave like local root? + This option will allow password utilities that use PAM to + change local passwords. . - The password will be stored in a separate file which will be made + The LDAP admin account password will be stored in a separate file which will be made readable to root only. . - If you are using NFS mounted /etc or any other custom setup, you should - disable this. + If /etc is mounted by NFS, this option should be disabled. Template: shared/ldapns/ldap-server Type: string Default: ldapi:/// -_Description: LDAP server Uniform Resource Identifier: - Please enter the URI of the LDAP server used. This is a string in the - form ldap://<hostname or IP>:<port>/ . ldaps:// or ldapi:// can also - be used. The port number is optional. +_Description: LDAP server URI: + Please enter the Uniform Resource Identifier of the LDAP server. + The format is 'ldap://<hostname_or_IP>:<port>/'. Alternatively, + 'ldaps://' or 'ldapi://' can be used. The port number is optional. . - Note: It is usually a good idea to use an IP address; this reduces risks - of failure in the event name service is unavailable. + Using an IP address is recommended to avoid failures when + domain name services are unavailable. Template: libpam-ldap/bindpw Type: password _Description: Password for database login account: - Please enter the password that will be used to log in to the LDAP database. + Please enter the password that will be used to login to the LDAP database. Template: libpam-ldap/override Type: boolean Default: true -_Description: Make debconf change your config? - libpam-ldap has been moved to use debconf for its configuration. Should - the settings in debconf be applied to the configuration? Package - upgrades will use your answer here going forward. +_Description: Manage libpam-ldap configuration automatically? + The libpam-ldap package configuration may be managed automatically + from answers to questions asked during the configuration process. + The resulting configuration file may overwrite local changes. + . + If you do not choose this option, no further questions will be asked + and the configuration has to be done manually.
Source: libpam-ldap Section: admin Priority: extra Maintainer: Richard A Nelson (Rick) <cowboy@debian.org> Standards-Version: 3.7.2 Build-Depends: cdbs, patchutils, dh-buildinfo, debhelper (>= 4.1.3), autotools-dev, libldap2-dev, libpam0g-dev, po-debconf (>= 0.5.0) Package: libpam-ldap Architecture: any Depends: ${shlibs:Depends}, debconf (>= 0.5) | debconf-2.0 Suggests: libnss-ldap Description: Pluggable Authentication Module for LDAP This package provides an interface between an LDAP server and the PAM user authentication system. Using it along with libnss-ldap allows LDAP to entirely replace other lookup methods (such as NIS or flat-file) for system account tables.
Attachment:
signature.asc
Description: Digital signature