Please find, for review, the debconf templates and packages descriptions for the libpam-ldap source package.
This review will last from Tuesday, May 19, 2009 to Friday, May 29, 2009.
Please send reviews as unified diffs (diff -u) against the original
files. Comments about your proposed changes will be appreciated.
Your review should be sent as an answer to this mail.
When appropriate, I will send intermediate requests for review, with
"[RFRn]" (n>=2) as a subject tag.
When we will reach a consensus, I send a "Last Chance For
Comments" mail with "[LCFC]" as a subject tag.
Finally, the reviewed templates will be sent to the package maintainer
as a bug report, and a mail will be sent to this list with "[BTS]" as
a subject tag.
Rationale:
--- libpam-ldap.old/debian/templates 2009-02-14 12:19:34.483870281 +0100
+++ libpam-ldap/debian/templates 2009-05-15 07:35:28.487557065 +0200
@@ -2,36 +2,40 @@
Type: string
Default: cn=manager,dc=example,dc=net
_Description: LDAP account for root:
- This account will be used when root changes a password.
+ Please enter the LDAP account that will be used when the local
+ root account for this machine changes a password.
We generally discourage "linking" the synopsis and the long
description. Sometimes, the long description comes before, some other
times, it comes after the synopsis...and sometimes even, it is not
directly shown to users. The "Please enter" trick better copes with
all these situations.
Mention that "the root account" is the local one.
One could argue that the "root account" doesn't actually change
passwords...this is rather the person using it ...
.
- Note: This account has to be a privileged account.
+ This account has to be a privileged account.
We often discourage "Note" as this doesn't really add much information.
Template: libpam-ldap/rootbindpw
Type: password
+#flag:comment:3
+# Translators: do not translate "${filename}"
The comment will appear for the second paragraph of the
synopsis. Sometimes translators do such mistake.
_Description: LDAP root account password:
Please enter the password to use when ${package} tries to
login to the LDAP directory using the LDAP account for root.
.
- The password will be stored in a separate file ${filename}
+ The password will be stored in a separate file (${filename})
which will be made readable to root only.
${filename} should either be parenthesized or put between commas.
.
- Entering an empty password will re-use the old password.
+ If that field is left empty, the previously stored password will
+ be re-used.
Clearer (imho). This is not exactly entering an empty password as the
final password turns out to be non empty, but the former one.
Template: libpam-ldap/dblogin
Type: boolean
Default: false
_Description: Does the LDAP database require login?
- Choose this option if you can't retrieve entries from
- the database without logging in.
+ Please choose whether the LDAP server enforces a login before
+ retrieving entries.
Our standard recommendation in such situations
.
- Note: Under a normal setup, this is not needed.
+ Such setup is unusual and therefore unneeded in most situations.
Drop "Note:" and put a slightly stronger formulation.
Template: shared/ldapns/base-dn
Type: string
Default: dc=example,dc=net
_Description: Distinguished name of the search base:
- Please enter the distinguished name of the LDAP search base. Many sites
- use the components of their domain names for this purpose. For example,
- the domain "example.net" would use "dc=example,dc=net" as the
+ Please enter the distinguished name of the LDAP search base. Many sites
+ use the components of their domain names for this purpose. For example,
- the domain 'example.net' would use 'dc=example,dc=net' as the
distinguished name of the search base.
Drop double spaces (overall consistency among packages)
Use single quotes (the 'standard' we finally settled upon)
@@ -39,81 +43,74 @@
Type: select
__Choices: clear, crypt, nds, ad, exop, md5
Default: crypt
-_Description: Local crypt to use when changing passwords.
- The PAM module can set the password crypt locally when changing the
- passwords, this is usually a good choice. By setting this to something
- else than clear you are making sure that the password gets crypted in some
- way.
- .
- The meanings for selections are:
- .
- clear - Don't set any encryptions, this is useful with servers that
- automatically encrypt userPassword entry.
- .
- crypt - (Default) make userPassword use the same format as the flat
- filesystem. this will work for most configurations
- .
- nds - Use Novell Directory Services-style updating, first remove the old
- password and then update with cleartext password.
- .
- ad - Active Directory-style. Create Unicode password and update unicodePwd
- attribute
- .
- exop - Use the OpenLDAP password change extended operation to update the
- password.
+_Description: Local encryption algorithm to use for passwords:
+ The PAM module can encrypt the password locally when changing it,
+ which is recommended:
+ * clear: no encryption. This should be chosen when LDAP servers
+ automatically encrypt the userPassword entry;
+ * crypt: make userPassword use the same format as the flat
+ local password database. If in doubt, you should choose this option;
+ * nds: use Novell Directory Services-style updating. The old
+ password is first removed, then updated;
+ * ad: Active Directory-style. This creates a Unicode password and
+ updates the unicodePwd attribute;
+ * exop: use the OpenLDAP password change extended operation to update the
+ password.
"Local crypt"....is cryptic to me..:-)
Shorten the first paragraph
"the" userPassword entry: "the" seems mandatory to me here. Other
changes are personal taste
crypt: avoid mentioning "default". In some situations (for instance
with preseeding debconf) that could be wrong. Users will see this is
the default, anyway..:). The format is not in the local file system,
but rather in the local password database
ad and exop: cosmetic changes
Avoid too many paragraphs. That makes the template not fit on one
screen (with my version, it probably doesn't as well, but at least the
long description does).
Use asterisks as standard for enumerations).
Template: shared/ldapns/ldap_version
Type: select
Choices: 3, 2
Default: 3
_Description: LDAP version to use:
- Please enter which version of the LDAP protocol should be used by
- ldapns. It is usually a good idea to set this to the highest
- available version number.
+ Please choose the version of the LDAP protocol that should be used by
+ ldapns. Using the highest available version number is recommended.
In such case, we *choose* the protocol version (imho).
Use "<foo> is recommended" instead of "It is a good idea to do <foo>"
Template: libpam-ldap/binddn
Type: string
Default: cn=proxyuser,dc=example,dc=net
_Description: Unprivileged database user:
- Please enter the name of the account that will be used to log in to the LDAP
+ Please enter the name of the account that will be used to login to the LDAP
database.
Justin will confirm (or not). I think this is debated but, in that
case, the presence of "to" makes the two words version look strange.
.
- Warning: DO NOT use privileged accounts for logging in, the configuration
- file has to be world readable.
+ It is highly recommended to use an unprivileged account because
+ the configuration file that contains that account name and password
+ has to be world-readable.
Don't yell and just give facts.
Template: libpam-ldap/dbrootlogin
Type: boolean
Default: true
-_Description: Make local root Database admin.
- This option will allow you to make password utilities that use pam, to
- behave like you would be changing local passwords.
+_Description: Allow LDAP admin account to behave like local root?
+ This option will allow password utilities that use PAM to
+ change local passwords.
This is a boolean template, so the synopsis has to be a question.
Simplify the sentence that was (imho) awkward.
.
- The password will be stored in a separate file which will be made
+ The LDAP admin account password will be stored in a separate file which will be made
readable to root only.
Specify what password we're talking about...
.
- If you are using NFS mounted /etc or any other custom setup, you should
- disable this.
+ If /etc is mounted by NFS, this option should be disabled.
Template: shared/ldapns/ldap-server
Type: string
Default: ldapi:///
-_Description: LDAP server Uniform Resource Identifier:
- Please enter the URI of the LDAP server used. This is a string in the
- form ldap://<hostname or IP>:<port>/ . ldaps:// or ldapi:// can also
- be used. The port number is optional.
+_Description: LDAP server URI:
+ Please enter the Uniform Resource Identifier of the LDAP server.
+ The format is 'ldap://<hostname_or_IP>:<port>/'. Alternatively,
+ 'ldaps://' or 'ldapi://' can be used. The port number is optional.
"URI" is never defined before, so let's avoid jargon. Simplify other
sentences and avoid starting with "ldaps://".
.
- Note: It is usually a good idea to use an IP address; this reduces risks
- of failure in the event name service is unavailable.
+ Using an IP address is recommended to avoid failures when
+ domain name services are unavailable.
Sams comments than above.
Template: libpam-ldap/bindpw
Type: password
_Description: Password for database login account:
- Please enter the password that will be used to log in to the LDAP database.
+ Please enter the password that will be used to login to the LDAP database.
Ditto
Template: libpam-ldap/override
Type: boolean
Default: true
-_Description: Make debconf change your config?
- libpam-ldap has been moved to use debconf for its configuration. Should
- the settings in debconf be applied to the configuration? Package
- upgrades will use your answer here going forward.
+_Description: Manage libpam-ldap configuration automatically?
+ The libpam-ldap package configuration may be managed automatically
+ from answers to questions asked during the configuration process.
+ The resulting configuration file may overwrite local changes.
+ .
+ If you do not choose this option, no further questions will be asked
+ and the configuration has to be done manually.
It is discouraged to make direct references to debconf (another tool
could exist to do the same job). The recommended wording goes around
"automatic configurration" and the like.
That more or less leads to a complete rewrite of the template.
Avoid leading lowercase from the package name by using the "The package
<foo>" trick
PS: I found nothing to change in the package's description in debian/control
--
Template: libpam-ldap/rootbinddn
Type: string
Default: cn=manager,dc=example,dc=net
_Description: LDAP account for root:
Please enter the LDAP account that will be used when the local
root account for this machine changes a password.
.
This account has to be a privileged account.
Template: libpam-ldap/rootbindpw
Type: password
#flag:comment:3
# Translators: do not translate "${filename}"
_Description: LDAP root account password:
Please enter the password to use when ${package} tries to
login to the LDAP directory using the LDAP account for root.
.
The password will be stored in a separate file (${filename})
which will be made readable to root only.
.
If that field is left empty, the previously stored password will
be re-used.
Template: libpam-ldap/dblogin
Type: boolean
Default: false
_Description: Does the LDAP database require login?
Please choose whether the LDAP server enforces a login before
retrieving entries.
.
Such setup is unusual and therefore unneeded in most situations.
Template: shared/ldapns/base-dn
Type: string
Default: dc=example,dc=net
_Description: Distinguished name of the search base:
Please enter the distinguished name of the LDAP search base. Many sites
use the components of their domain names for this purpose. For example,
the domain 'example.net' would use 'dc=example,dc=net' as the
distinguished name of the search base.
Template: libpam-ldap/pam_password
Type: select
__Choices: clear, crypt, nds, ad, exop, md5
Default: crypt
_Description: Local encryption algorithm to use for passwords:
The PAM module can encrypt the password locally when changing it,
which is recommended:
* clear: no encryption. This should be chosen when LDAP servers
automatically encrypt the userPassword entry;
* crypt: make userPassword use the same format as the flat
local password database. If in doubt, you should choose this option;
* nds: use Novell Directory Services-style updating. The old
password is first removed, then updated;
* ad: Active Directory-style. This creates a Unicode password and
updates the unicodePwd attribute;
* exop: use the OpenLDAP password change extended operation to update the
password.
Template: shared/ldapns/ldap_version
Type: select
Choices: 3, 2
Default: 3
_Description: LDAP version to use:
Please choose the version of the LDAP protocol that should be used by
ldapns. Using the highest available version number is recommended.
Template: libpam-ldap/binddn
Type: string
Default: cn=proxyuser,dc=example,dc=net
_Description: Unprivileged database user:
Please enter the name of the account that will be used to login to the LDAP
database.
.
It is highly recommended to use an unprivileged account because
the configuration file that contains that account name and password
has to be world-readable.
Template: libpam-ldap/dbrootlogin
Type: boolean
Default: true
_Description: Allow LDAP admin account to behave like local root?
This option will allow password utilities that use PAM to
change local passwords.
.
The LDAP admin account password will be stored in a separate file which will be made
readable to root only.
.
If /etc is mounted by NFS, this option should be disabled.
Template: shared/ldapns/ldap-server
Type: string
Default: ldapi:///
_Description: LDAP server URI:
Please enter the Uniform Resource Identifier of the LDAP server.
The format is 'ldap://<hostname_or_IP>:<port>/'. Alternatively,
'ldaps://' or 'ldapi://' can be used. The port number is optional.
.
Using an IP address is recommended to avoid failures when
domain name services are unavailable.
Template: libpam-ldap/bindpw
Type: password
_Description: Password for database login account:
Please enter the password that will be used to login to the LDAP database.
Template: libpam-ldap/override
Type: boolean
Default: true
_Description: Manage libpam-ldap configuration automatically?
The libpam-ldap package configuration may be managed automatically
from answers to questions asked during the configuration process.
The resulting configuration file may overwrite local changes.
.
If you do not choose this option, no further questions will be asked
and the configuration has to be done manually.
--- libpam-ldap.old/debian/templates 2009-02-14 12:19:34.483870281 +0100
+++ libpam-ldap/debian/templates 2009-05-19 14:12:28.159656214 +0200
@@ -2,118 +2,115 @@
Type: string
Default: cn=manager,dc=example,dc=net
_Description: LDAP account for root:
- This account will be used when root changes a password.
+ Please enter the LDAP account that will be used when the local
+ root account for this machine changes a password.
.
- Note: This account has to be a privileged account.
+ This account has to be a privileged account.
Template: libpam-ldap/rootbindpw
Type: password
+#flag:comment:3
+# Translators: do not translate "${filename}"
_Description: LDAP root account password:
Please enter the password to use when ${package} tries to
login to the LDAP directory using the LDAP account for root.
.
- The password will be stored in a separate file ${filename}
+ The password will be stored in a separate file (${filename})
which will be made readable to root only.
.
- Entering an empty password will re-use the old password.
+ If that field is left empty, the previously stored password will
+ be re-used.
Template: libpam-ldap/dblogin
Type: boolean
Default: false
_Description: Does the LDAP database require login?
- Choose this option if you can't retrieve entries from
- the database without logging in.
+ Please choose whether the LDAP server enforces a login before
+ retrieving entries.
.
- Note: Under a normal setup, this is not needed.
+ Such setup is unusual and therefore unneeded in most situations.
Template: shared/ldapns/base-dn
Type: string
Default: dc=example,dc=net
_Description: Distinguished name of the search base:
- Please enter the distinguished name of the LDAP search base. Many sites
- use the components of their domain names for this purpose. For example,
- the domain "example.net" would use "dc=example,dc=net" as the
+ Please enter the distinguished name of the LDAP search base. Many sites
+ use the components of their domain names for this purpose. For example,
+ the domain 'example.net' would use 'dc=example,dc=net' as the
distinguished name of the search base.
Template: libpam-ldap/pam_password
Type: select
__Choices: clear, crypt, nds, ad, exop, md5
Default: crypt
-_Description: Local crypt to use when changing passwords.
- The PAM module can set the password crypt locally when changing the
- passwords, this is usually a good choice. By setting this to something
- else than clear you are making sure that the password gets crypted in some
- way.
- .
- The meanings for selections are:
- .
- clear - Don't set any encryptions, this is useful with servers that
- automatically encrypt userPassword entry.
- .
- crypt - (Default) make userPassword use the same format as the flat
- filesystem. this will work for most configurations
- .
- nds - Use Novell Directory Services-style updating, first remove the old
- password and then update with cleartext password.
- .
- ad - Active Directory-style. Create Unicode password and update unicodePwd
- attribute
- .
- exop - Use the OpenLDAP password change extended operation to update the
- password.
+_Description: Local encryption algorithm to use for passwords:
+ The PAM module can encrypt the password locally when changing it,
+ which is recommended:
+ * clear: no encryption. This should be chosen when LDAP servers
+ automatically encrypt the userPassword entry;
+ * crypt: make userPassword use the same format as the flat
+ local password database. If in doubt, you should choose this option;
+ * nds: use Novell Directory Services-style updating. The old
+ password is first removed, then updated;
+ * ad: Active Directory-style. This creates a Unicode password and
+ updates the unicodePwd attribute;
+ * exop: use the OpenLDAP password change extended operation to update the
+ password.
Template: shared/ldapns/ldap_version
Type: select
Choices: 3, 2
Default: 3
_Description: LDAP version to use:
- Please enter which version of the LDAP protocol should be used by
- ldapns. It is usually a good idea to set this to the highest
- available version number.
+ Please choose the version of the LDAP protocol that should be used by
+ ldapns. Using the highest available version number is recommended.
Template: libpam-ldap/binddn
Type: string
Default: cn=proxyuser,dc=example,dc=net
_Description: Unprivileged database user:
- Please enter the name of the account that will be used to log in to the LDAP
+ Please enter the name of the account that will be used to login to the LDAP
database.
.
- Warning: DO NOT use privileged accounts for logging in, the configuration
- file has to be world readable.
+ It is highly recommended to use an unprivileged account because
+ the configuration file that contains that account name and password
+ has to be world-readable.
Template: libpam-ldap/dbrootlogin
Type: boolean
Default: true
-_Description: Make local root Database admin.
- This option will allow you to make password utilities that use pam, to
- behave like you would be changing local passwords.
+_Description: Allow LDAP admin account to behave like local root?
+ This option will allow password utilities that use PAM to
+ change local passwords.
.
- The password will be stored in a separate file which will be made
+ The LDAP admin account password will be stored in a separate file which will be made
readable to root only.
.
- If you are using NFS mounted /etc or any other custom setup, you should
- disable this.
+ If /etc is mounted by NFS, this option should be disabled.
Template: shared/ldapns/ldap-server
Type: string
Default: ldapi:///
-_Description: LDAP server Uniform Resource Identifier:
- Please enter the URI of the LDAP server used. This is a string in the
- form ldap://<hostname or IP>:<port>/ . ldaps:// or ldapi:// can also
- be used. The port number is optional.
+_Description: LDAP server URI:
+ Please enter the Uniform Resource Identifier of the LDAP server.
+ The format is 'ldap://<hostname_or_IP>:<port>/'. Alternatively,
+ 'ldaps://' or 'ldapi://' can be used. The port number is optional.
.
- Note: It is usually a good idea to use an IP address; this reduces risks
- of failure in the event name service is unavailable.
+ Using an IP address is recommended to avoid failures when
+ domain name services are unavailable.
Template: libpam-ldap/bindpw
Type: password
_Description: Password for database login account:
- Please enter the password that will be used to log in to the LDAP database.
+ Please enter the password that will be used to login to the LDAP database.
Template: libpam-ldap/override
Type: boolean
Default: true
-_Description: Make debconf change your config?
- libpam-ldap has been moved to use debconf for its configuration. Should
- the settings in debconf be applied to the configuration? Package
- upgrades will use your answer here going forward.
+_Description: Manage libpam-ldap configuration automatically?
+ The libpam-ldap package configuration may be managed automatically
+ from answers to questions asked during the configuration process.
+ The resulting configuration file may overwrite local changes.
+ .
+ If you do not choose this option, no further questions will be asked
+ and the configuration has to be done manually.
Source: libpam-ldap
Section: admin
Priority: extra
Maintainer: Richard A Nelson (Rick) <cowboy@debian.org>
Standards-Version: 3.7.2
Build-Depends: cdbs, patchutils, dh-buildinfo, debhelper (>= 4.1.3), autotools-dev, libldap2-dev, libpam0g-dev, po-debconf (>= 0.5.0)
Package: libpam-ldap
Architecture: any
Depends: ${shlibs:Depends}, debconf (>= 0.5) | debconf-2.0
Suggests: libnss-ldap
Description: Pluggable Authentication Module for LDAP
This package provides an interface between an LDAP server and the PAM
user authentication system. Using it along with libnss-ldap allows
LDAP to entirely replace other lookup methods (such as NIS or
flat-file) for system account tables.
Attachment:
signature.asc
Description: Digital signature