On Mon, Dec 27, 2010 at 16:15:38 +0100, Arthur de Jong wrote: > On Fri, 2010-12-10 at 15:31 +0100, Arthur de Jong wrote: > > If no-one thinks it is a bad idea I can change the earlier text to be a > > recommendation to switch to nss-pam-ldapd instead of a proposed > > workaround. > > I've updated the patch to the release notes (attached) to become a > recommendation to switch to nss-pam-ldapd. > Thanks. [snip] > > Also, do you think it is a good idea to highlight the switch to > nss-pam-ldapd a bit more in the "What's new" section? I think it should > also be a good idea to switch for people not affected by this specific > problem. I can provide a patch if needed. > Sounds like a good plan to me. > Index: en/issues.dbk > =================================================================== > --- en/issues.dbk (revision 7951) > +++ en/issues.dbk (working copy) > @@ -12,7 +12,7 @@ > > <section id="problems"> > <title>Potential problems</title> > -<para> > +<para> > Sometimes, changes introduced in a new release have side-effects > we cannot reasonably avoid, or they expose > bugs somewhere else. This section documents issues we are aware of. Please also Unrelated, please drop this hunk. > @@ -434,6 +434,40 @@ > </para> > </section> > > +<section id="ldap"> > + <title><acronym>LDAP</acronym> support</title> > + <indexterm><primary>LDAP</primary></indexterm> > + <para> > + A feature in the cryptography libraries used in the > + <acronym>LDAP</acronym> libraries causes programs that use > + <acronym>LDAP</acronym> and attempt to change their effective > + privileges to fail when connecting to an <acronym>LDAP</acronym> > + server using <acronym>TLS</acronym> or <acronym>SSL</acronym>. > + This can cause problems for <command>sudo</command> and > + <command>su</command> when using > + <systemitem role="package">libnss-ldap</systemitem> or > + with <systemitem role ="package">sudo-ldap</systemitem>. I think schroot may be affected as well (#589884). > + </para> > + <para> > + It is recommended to replace the > + <systemitem role="package">libnss-ldap</systemitem> package with > + <systemitem role="package">libnss-ldapd</systemitem>, a newer library > + which uses separate daemon (<command>nslcd</command>) for all > + <acronym>LDAP</acronym> lookups. The replacement for > + <systemitem role="package">libpam-ldap</systemitem> is > + <systemitem role="package">libpam-ldapd</systemitem>. > + </para> > + <para> > + Note that <systemitem role="package">libnss-ldapd</systemitem> recommends > + the NSS caching daemon (<command>nscd</command>) which you should evaluate > + for suitability in your environment before installing. Maybe mention unscd here, it's supposedly less crashy than nscd. > + </para> > + <para> > + Further information is available in bugs > + <ulink url="&url-bts;566351">#566351</ulink> and > + <ulink url="&url-bts;545414">#545414</ulink>. > + </para> > +</section> > > <section id="kde-desktop-changes" condition="fixme"> > <title>KDE desktop</title> Thanks for the patch! Cheers, Julien
Attachment:
signature.asc
Description: Digital signature