On Fri, 2010-12-10 at 15:31 +0100, Arthur de Jong wrote: > If no-one thinks it is a bad idea I can change the earlier text to be a > recommendation to switch to nss-pam-ldapd instead of a proposed > workaround. I've updated the patch to the release notes (attached) to become a recommendation to switch to nss-pam-ldapd. Note that I don't think this will totally fix the problem with sudo-ldap (haven't checked) because it will still do LDAP searches to retrieve the sudoers information. If those searches go over SSL/TLS the problem will still be triggered. Dear release notes team, should this change be committed to the release notes? Also, do you think it is a good idea to highlight the switch to nss-pam-ldapd a bit more in the "What's new" section? I think it should also be a good idea to switch for people not affected by this specific problem. I can provide a patch if needed. Thanks. -- -- arthur - adejong@debian.org - http://people.debian.org/~adejong --
Index: en/release-notes.dbk =================================================================== --- en/release-notes.dbk (revision 7951) +++ en/release-notes.dbk (working copy) @@ -390,6 +390,14 @@ <glossdef><para>Serial Advanced Technology Attachment</para></glossdef> </glossentry> <glossentry> + <glossterm>SSL</glossterm> + <glossdef><para>Secure Sockets Layer</para></glossdef> + </glossentry> + <glossentry> + <glossterm>TLS</glossterm> + <glossdef><para>Transport Layer Security</para></glossdef> + </glossentry> + <glossentry> <glossterm>USB</glossterm> <glossdef><para>Universal Serial Bus</para></glossdef> </glossentry> Index: en/issues.dbk =================================================================== --- en/issues.dbk (revision 7951) +++ en/issues.dbk (working copy) @@ -12,7 +12,7 @@ <section id="problems"> <title>Potential problems</title> -<para> +<para> Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also @@ -434,6 +434,40 @@ </para> </section> +<section id="ldap"> + <title><acronym>LDAP</acronym> support</title> + <indexterm><primary>LDAP</primary></indexterm> + <para> + A feature in the cryptography libraries used in the + <acronym>LDAP</acronym> libraries causes programs that use + <acronym>LDAP</acronym> and attempt to change their effective + privileges to fail when connecting to an <acronym>LDAP</acronym> + server using <acronym>TLS</acronym> or <acronym>SSL</acronym>. + This can cause problems for <command>sudo</command> and + <command>su</command> when using + <systemitem role="package">libnss-ldap</systemitem> or + with <systemitem role ="package">sudo-ldap</systemitem>. + </para> + <para> + It is recommended to replace the + <systemitem role="package">libnss-ldap</systemitem> package with + <systemitem role="package">libnss-ldapd</systemitem>, a newer library + which uses separate daemon (<command>nslcd</command>) for all + <acronym>LDAP</acronym> lookups. The replacement for + <systemitem role="package">libpam-ldap</systemitem> is + <systemitem role="package">libpam-ldapd</systemitem>. + </para> + <para> + Note that <systemitem role="package">libnss-ldapd</systemitem> recommends + the NSS caching daemon (<command>nscd</command>) which you should evaluate + for suitability in your environment before installing. + </para> + <para> + Further information is available in bugs + <ulink url="&url-bts;566351">#566351</ulink> and + <ulink url="&url-bts;545414">#545414</ulink>. + </para> +</section> <section id="kde-desktop-changes" condition="fixme"> <title>KDE desktop</title>
Attachment:
signature.asc
Description: This is a digitally signed message part