Bug#624768: RM: libnss-db/2.2.3pre1-3.1
I am Ccing the DSA team, because this affect them most...
On Mon, May 2, 2011 at 19:54, Julien Cristau <jcristau@debian.org> wrote:
> On Mon, May 2, 2011 at 14:30:13 +0200, Ondřej Surý wrote:
>
>> One alternative would be to adopt the package both in debian and as a
>> upstream (or convince (e)glibc people to pick it up) and care about it
>> if it's important for Debian.
>>
>> I don't know the Debian infrastructure enough to be able to answer the
>> question, but wouldn't libnss-ldap do the job - DD accounts are stored
>> in LDAP, aren't they?
>>
> AIUI libnss-ldap means if your connection to the ldap server goes down
> temporarily for some reason you're locked out until it comes back. That
> seems bad for a setup like debian's which is heavily distributed. So
> currently the account data is synchronized with ud-replicate and cron,
> and imported into bdb files for libnss-db use.
Well, libnss-ldap(d) + NSCD could do the trick for short offline
periods (with HA LDAP setup).
http://wiki.debian.org/LDAP/NSS
Same for PAM+LDAP:
http://wiki.debian.org/LDAP/PAM
However I am not strongly pushing one way (the upstream-adoption) or
another (the ldap+nscd) - however I feel that depending on
unmaintained software with a year-old security bug isn't really a good
option.
O.
--
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/
Reply to: