Re: Request for review
Arthur de Jong wrote:
> (please keep me in Cc because I'm not subscribed to the list)
[...]
> The question is presented from postinst if a problematic configuration
> is found.
I hope this means I'd only be asked this if I already had a modified
PAM stack, so I can be assumed to be moderately familiar with the
jargon.
> Template: libpam-ldapd/enable_shadow
> Type: boolean
> Default: true
> _Description: Enable shadow lookups through NSS?
> For the proper operation of the PAM stack the NSS module should return
> shadow information for LDAP users, otherwise these users will not be
^
Technically a "comma splice".
> able to log in. Note that the shadow entries themselves may be empty
> (i.e. it is not needed to expose password hashes).
^^
Unclear referent (in fact it's just impersonal, but that's not
obvious). Note that "Note that" is usually redundant.
> .
> More background information on this requirement can be found here:
> http://bugs.debian.org/583492
> .
> You can edit /etc/nsswitch.conf by hand or choose to add the entry
> automatically now. Be sure to review the changes to /etc/nsswitch.conf
> if you choose to add the entry now.
So that's:
_Description: Enable shadow lookups through NSS?
For the proper operation of the PAM stack the NSS module should return
shadow information for LDAP users; otherwise they will be unable to
log in. The shadow entries themselves may be empty - that is, there is
no need for password hashes to be exposed.
.
More background information on this requirement can be found here:
http://bugs.debian.org/583492
.
You can edit /etc/nsswitch.conf by hand or choose to add the entry
automatically now. Be sure to review the changes to /etc/nsswitch.conf
if you choose to add the entry now.
Or reshuffling it a lot more (and possibly distorting it in the
process):
To allow LDAP users to log in, the NSS module needs to be enabled to
perform shadow password lookups. The shadow entries themselves may be
empty - that is, there is no need for password hashes to be exposed. See
http://bugs.debian.org/583492 for background.
.
Please choose whether /etc/nsswitch should have the required entry added
automatically (in which case it should be reviewed afterwards) or whether
it should be left for an administrator to edit manually.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
Reply to: