On Mon, 2010-12-27 at 16:36 +0100, Julien Cristau wrote: > > Also, do you think it is a good idea to highlight the switch to > > nss-pam-ldapd a bit more in the "What's new" section? I think it should > > also be a good idea to switch for people not affected by this specific > > problem. I can provide a patch if needed. > > Sounds like a good plan to me. I will prepare a patch (or would you prefer something in the NewInSqueeze wiki page?). Do you want me to commit this part (new version attached)? > > <title>Potential problems</title> > > -<para> > > +<para> > > Sometimes, changes introduced in a new release have side-effects > > Unrelated, please drop this hunk. Oops, editor automatically removing trailing spaces. > I think schroot may be affected as well (#589884). Rephrased a bit and added schroot. > > + Note that <systemitem role="package">libnss-ldapd</systemitem> recommends > > + the NSS caching daemon (<command>nscd</command>) which you should evaluate > > + for suitability in your environment before installing. > > Maybe mention unscd here, it's supposedly less crashy than nscd. I didn't think unscd would make it into squeeze but it's great that it will. I've added a line about unscd. I'm using unscd on my box without issues but then again, I never really ran into major issues with nscd. -- -- arthur - adejong@debian.org - http://people.debian.org/~adejong --
Index: en/release-notes.dbk
===================================================================
--- en/release-notes.dbk (revision 7951)
+++ en/release-notes.dbk (working copy)
@@ -390,6 +390,14 @@
<glossdef><para>Serial Advanced Technology Attachment</para></glossdef>
</glossentry>
<glossentry>
+ <glossterm>SSL</glossterm>
+ <glossdef><para>Secure Sockets Layer</para></glossdef>
+ </glossentry>
+ <glossentry>
+ <glossterm>TLS</glossterm>
+ <glossdef><para>Transport Layer Security</para></glossdef>
+ </glossentry>
+ <glossentry>
<glossterm>USB</glossterm>
<glossdef><para>Universal Serial Bus</para></glossdef>
</glossentry>
Index: en/issues.dbk
===================================================================
--- en/issues.dbk (revision 7951)
+++ en/issues.dbk (working copy)
@@ -434,6 +434,44 @@
</para>
</section>
+<section id="ldap">
+ <title><acronym>LDAP</acronym> support</title>
+ <indexterm><primary>LDAP</primary></indexterm>
+ <para>
+ A feature in the cryptography libraries used in the
+ <acronym>LDAP</acronym> libraries causes programs that use
+ <acronym>LDAP</acronym> and attempt to change their effective
+ privileges to fail when connecting to an <acronym>LDAP</acronym>
+ server using <acronym>TLS</acronym> or <acronym>SSL</acronym>.
+ This can cause problems for suid programs on systems using
+ <systemitem role="package">libnss-ldap</systemitem> like
+ <command>sudo</command>, <command>su</command> or
+ <command>schroot</command> and for suid programs that perform LDAP
+ searches like <systemitem role ="package">sudo-ldap</systemitem>.
+ </para>
+ <para>
+ It is recommended to replace the
+ <systemitem role="package">libnss-ldap</systemitem> package with
+ <systemitem role="package">libnss-ldapd</systemitem>, a newer library
+ which uses separate daemon (<command>nslcd</command>) for all
+ <acronym>LDAP</acronym> lookups. The replacement for
+ <systemitem role="package">libpam-ldap</systemitem> is
+ <systemitem role="package">libpam-ldapd</systemitem>.
+ </para>
+ <para>
+ Note that <systemitem role="package">libnss-ldapd</systemitem> recommends
+ the NSS caching daemon (<systemitem role="package">nscd</systemitem>)
+ which you should evaluate for suitability in your environment before
+ installing.
+ As an alternative to <systemitem role="package">nscd</systemitem> you
+ can consider <systemitem role="package">unscd</systemitem>.
+ </para>
+ <para>
+ Further information is available in bugs
+ <ulink url="&url-bts;566351">#566351</ulink> and
+ <ulink url="&url-bts;545414">#545414</ulink>.
+ </para>
+</section>
<section id="kde-desktop-changes" condition="fixme">
<title>KDE desktop</title>
Attachment:
signature.asc
Description: This is a digitally signed message part