Re: integrating PAM module into nss-ldapd (RFH)

To: Richard A Nelson <cowboy@debian.org>
Cc: debian-devel <debian-devel@lists.debian.org>
Subject: Re: integrating PAM module into nss-ldapd (RFH)
From: Arthur de Jong <adejong@debian.org>
Date: Tue, 02 Jun 2009 00:13:27 +0200
Message-id: <[🔎] 1243894407.15326.664.camel@sorbet.thuis.net>
In-reply-to: <alpine.DEB.2.00.0905301544060.6864@hygvzn-guhyr.pnirva.bet>
References: <1242456128.3996.6.camel@sorbet.thuis.net> <alpine.DEB.2.00.0905301544060.6864@hygvzn-guhyr.pnirva.bet>

On Sat, 2009-05-30 at 16:05 -0700, Richard A Nelson wrote:
> This is great news! I've already converted all my boxes and am
> continually exhorting conversion to libnss-ldapd (mostly on IRC, but
> also those who report bugs on the libnss-ldap package).
>
> It seems to me, as the libnss-ldap maintainer, that libnss-ldapd is
> functional enough that we should deprecate libnss-ldap.

nss-ldapd still has some rough edges here and there but should be stable
enough for most environments. nss_ldap has some features though that
aren't implemented in nss-ldapd (most of which aren't documented if I
remember correctly). Also nss_ldap has seen more testing, especially in
Kerberos, SASL and SSL-related setups.

> I would also, as the pam-ldap maintainer, recommed similar deprecation
> for it once you have bind-auth (for auth), and exop (for pw change)
> going.

The PAM implementation I'm working on does a username to DN lookup and
attempts to bind with that DN. That seems to work fine in my test setup.
This module has seen very little testing though and authorisation and
password change currently aren't implemented.
> 
> There is already so many mis-configured machines out there, and the
> older packages have some significant issues, that I really believe
> Debian would do well by standardizing/offering only the one, superior,
> solution.

I think that keeping nss_ldap and pam_ldap around is generally a good
idea (mostly because of to the feature differences) for as long as
someone is willing to maintain it.

Having said that I don't see a problem with having nss-ldapd as the
default NSS module for LDAP. For the PAM module I'm not confident enough
about the current code yet.

> > Also, I'm looking for people who are willing to spend some time on
> > nss-ldapd. I could use some help with the PAM packaging part, I know
> > libpam-runtime was changed recently so if anyone can help to get the
> > the PAM packaging into shape that would be great.
>
> Whilst I'm no pam wizard (by any stretch), we can likely take some
> information from the extant pam-ldap package.

Neither am I (but I'm learning now). I didn't know much about NSS before
I began on nss-ldapd.

I already took the patch from Steve Langasek in #517971 which seems to
work ok.

The only thing I noticed was that pam_sm_acct_mgmt() does not seem to be
called with that configuration (probably pam_unix thinks enough
authorization has taken place in /etc/pam.d/common-account).

> > Since nss-ldapd seems to be used more often now, having a
> > co-maintainer for the package would really help. There is still
> > enough development work to be done but also packaging work with the
> > upcoming split.
>
> Count me in - in whatever way I can be of assistance ...  I've moved
> most of my machines to KRB5 auth, but the LDAP passward are being
> still kept in sync; so I can easily run tests.

Great, I'll add you to the Uploaders field in the upcoming upload. I'll
also provide you with commit access to the repository. I'm thinking
about having one, maybe two more releases in the 0.6.x series and have a
0.7.x series with the PAM module enabled, the package rename and the
split into three packages.

> > Another important part where I would really welcome suggestions is a
> > better name for the software. I've seen some confusion over the
> > current name (people not noticing the d at the end) and with the
> > integration of PAM functionality the name no longer covers the
> > functionality.
>
> Yes, the name does cause confusion (often an issue on #ldap and
> #openldap), which is one reason I favour deprecation of the older
> packages (if not removal), and having one solution for Debian.

That does not fix the problem outside Debian though, e.g.:
http://www.securityfocus.com/bid/34211
https://bugzilla.redhat.com/show_bug.cgi?id=491623

> But even if we don't do that, I think the current name proposals make
> sense - even if somewhat confusing.

It's the best I could come up with ;) So unless a better alternative is
presented I think we'll have to stick with that.

> > Current work on integrating the PAM functionality can be tracked
> > here:
> > http://arthurenhella.demon.nl/svn/nss-ldapd/nss-pam-ldapd/
> > http://arthurenhella.demon.nl/viewvc/nss-ldapd/nss-pam-ldapd/
>
> /me makes a note to pull these Tuesday afternoon (this weekend is my
> 28th anniversary) - and we're still recovering from 3weeks on the
> road, so I wont have much computer time until then.

I plan to integrate as much as possible from the nss-pam-ldapd branch
into the nss-ldapd branch to already get some code into the 0.6.x
releases.

Thanks for the feedback!

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Prev by Date: Re: no deprecation of /usr as a standalone filesystem
Next by Date: Bug#531523: ITP: libjio -- library for journaled I/O
Previous by thread: Bug#474191: ITP: iceweasel-downloadstatusbar -- Iceweasel addon that provides an improved download statusbar
Next by thread: Bug#531523: ITP: libjio -- library for journaled I/O
Index(es):
- Date
- Thread