[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users

Thanks for your remarks and sorry for the somewhat slow response.

I've used your comments to update the patch (see attachment).

Btw, do you know if there is some style guide available for the release
notes (or general info)?

-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
Index: whats-new.dbk
--- whats-new.dbk	(revision 8022)
+++ whats-new.dbk	(working copy)
@@ -437,6 +437,42 @@
+<section id="ldap">
+  <title><acronym>LDAP</acronym> support</title>
+  <indexterm><primary>LDAP</primary></indexterm>
+  <para>
+    This Debian release comes with several options for implementing
+    client-side authentication using LDAP.
+    Users of the <systemitem role="package">libnss-ldap</systemitem> and
+    <systemitem role="package">libpam-ldap</systemitem> packages should
+    consider upgrading to
+    <systemitem role="package">libnss-ldapd</systemitem> and
+    <systemitem role="package">libpam-ldapd</systemitem>.
+  </para>
+  <para>
+    These newer packages delegate the <acronym>LDAP</acronym> queries to a central unprivileged
+    daemon (<command>nslcd</command>) that provides separation between the process using the <acronym>LDAP</acronym>
+    information and the daemon performing <acronym>LDAP</acronym> queries. This simplifies
+    handling of secured <acronym>LDAP</acronym> connections,
+    <acronym>LDAP</acronym> authentication credentials, provides a simpler
+    mechanism to perform connection fail-over and debugging and avoids
+    loading <acronym>LDAP</acronym> and related libraries into most
+    applications.
+  </para>
+  <para>
+    Upgrading to <systemitem role="package">libnss-ldapd</systemitem> and
+    <systemitem role="package">libpam-ldapd</systemitem> should be easy
+    as existing configuration information will be mostly reused.
+    Only for advanced configuration should any manual reconfiguration be
+    necessary.
+  </para>
+  <para>
+    These packages however currently lack support for nested groups and only
+    support password change using the <acronym>LDAP</acronym> password modify
+    EXOP operation.
+  </para>
 <section id="proposed-updates-intro">
   <title>The proposed-updates section</title>

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: