[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFR] templates://libpam-ldap/{templates}

Quoting Justin B Rye (jbr@edlug.org.uk):

> >  Template: libpam-ldap/rootbinddn
> [...]
> >  _Description: LDAP account for root:
> > - This account will be used when root changes a password.
> > + Please enter the LDAP account that will be used when the local
> > + root account for this machine changes a password.
> Apparently, at some point in the future, "the (local) root account"
> will change a password (presumably meaning one that's stored in
> LDAP), and the question I'm being asked is... what LDAP account
> "will be used" for this?  Okay, I'll guess "mine".  Do I win a
> prize?

Yes, the question is about the LDAP entry that is to be used to
authenticate against the LDAP server to do the password change. In
short, this is the LDAP administrative account.

> > - Note: This account has to be a privileged account.
> > + This account has to be a privileged account.
> Is it saying that I have to select one of the privileged accounts,
> because normal user accounts can't have LDAP write-access?  Or is it
> warning that the account I nominate will thereby become privileged?
> Or is this account one that's going to be created now?

The account that's used to update passwords must have write access to
the needed entries in the LDAP directory (I'm not sure I use the right
jargon as I don't speak LDAP very fluently).

> The best sense I can make of all this is that it's trying to say:
>  _Description: LDAP administrative account:
>   Please enter the name of the LDAP account that should be created with
>   administrative privileges (required for write-access to the database).

No, it is not created. It has to exist already.

> But that doesn't explain why it talks about the local root account.
> >  Template: libpam-ldap/rootbindpw
> [...]
> >  _Description: LDAP root account password:
> >   Please enter the password to use when ${package} tries to
> >   login to the LDAP directory using the LDAP account for root.
> "To log in", verb.  But... what's going on?  Packages have logins?
> If "the LDAP account for root" is the one I just named, it would be
> helpful if it would remember and use that name...

This is the one that got just named.

> >  Template: shared/ldapns/base-dn
> >  Type: string
> >  Default: dc=example,dc=net
> >  _Description: Distinguished name of the search base:
> > + Please enter the distinguished name of the LDAP search base. Many sites
> > + use the components of their domain names for this purpose. For example,
> >   the domain 'example.net' would use 'dc=example,dc=net' as the
> >   distinguished name of the search base.
> >
> > Use single quotes (the 'standard' we finally settled upon)
> Did we?  Oh well.

Oh, crap. My mistake. We settled this the other way..:-)

> >  Template: libpam-ldap/bindpw
> >  Type: password
> >  _Description: Password for database login account:
> > + Please enter the password that will be used to login to the LDAP database.
> That's not very helpful... after all. does it mean the privileged
> one (from libpam-ldap/rootbinddn) or the unprivileged one (from
> libpam-ldap/binddn)?  I'm aware this would require extra work,
> but it seems to me the best way of asking this would be by saying:
>     Please enter the password for the (non-administrative) ${user} account.

Yes, that's confusing.

In short, there is a "read only" account that's used to get info from
LDAP, when the LDAP server is setup to enforce logins....and a "write"
account that's used when local user management commands (such as
passwd) need to write back to the LDAP directory.

So, hopefully, all this will help you to come with a patch..:-)


Attachment: signature.asc
Description: Digital signature

Reply to: