[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users

On Mon, 2010-12-27 at 17:43 +0100, Julien Cristau wrote:
> On Mon, Dec 27, 2010 at 17:39:25 +0100, Arthur de Jong wrote:
> > I will prepare a patch (or would you prefer something in the
> > NewInSqueeze wiki page?).
> A patch would be good, I think.

Attached is my proposal for the "What's new in Debian" section.

-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
Index: en/whats-new.dbk
--- en/whats-new.dbk	(revision 7992)
+++ en/whats-new.dbk	(working copy)
@@ -437,6 +437,42 @@
+<section id="ldap">
+  <title><acronym>LDAP</acronym> support</title>
+  <indexterm><primary>LDAP</primary></indexterm>
+  <para>
+    With this release Debian comes with several options for implementing
+    client-side authentication using LDAP.
+    Users of the <systemitem role="package">libnss-ldap</systemitem> and
+    <systemitem role="package">libpam-ldap</systemitem> packages are
+    recommended to consider upgrading to
+    <systemitem role="package">libnss-ldapd</systemitem> and
+    <systemitem role="package">libpam-ldapd</systemitem>.
+  </para>
+  <para>
+    These newer packages delegate the <acronym>LDAP</acronym> queries to a central unprivileged
+    daemon (<command>nslcd</command>) that provides separation between the process using the <acronym>LDAP</acronym>
+    information and the daemon performing <acronym>LDAP</acronym> queries. This simplifies
+    handling of secured <acronym>LDAP</acronym> connections,
+    <acronym>LDAP</acronym> authentication credentials, provides a simpler
+    mechanism to perform connection  fail-over and debugging and avoids
+    loading <acronym>LDAP</acronym> and related libraries into most
+    applications.
+  </para>
+  <para>
+    Upgrading to <systemitem role="package">libnss-ldapd</systemitem> and
+    <systemitem role="package">libpam-ldapd</systemitem> should be easy
+    as existing configuration information will be re-used mostly.
+    Only for advanced configuration should any manual reconfiguration be
+    necessary.
+  </para>
+  <para>
+    These packages however currently lack support for nested groups and only
+    support password change using the <acronym>LDAP</acronym> password modify
+    EXOP operation.
+  </para>
 <section id="proposed-updates-intro">
   <title>The proposed-updates section</title>

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: