Re: [RFR] templates://nss-pam-ldapd/{nslcd.templates,libnss-ldapd.templates}

[Justin B Rye <justin.byam.rye@gmail.com>]

Christian PERRIER wrote:
> Your review should be sent as an answer to this mail.

What are we diffing against?  The original TAF copies didn't have
pynslcd/nslcd-utils, and the version I get with apt-get source has
various minor changes (e.g. to Build-Depends).  Oh, and it still
doesn't have the new packages... I'll stick to the TAF versions.

[...]
>  Package: libnss-ldapd
>  Architecture: any
> @@ -32,10 +30,10 @@
>  Conflicts: libnss-ldap
>  Provides: libnss-ldap
>  Description: NSS module for using LDAP as a naming service
> - This package provides a Name Service Switch module that allows your LDAP
> + This package provides a Name Service Switch module that allows using an LDAP
>   server to provide user account, group, host name, alias, netgroup, and
> - basically any other information that you would normally get from /etc flat
> - files or NIS.
> + basically any other information that you would normally be retrieved
> + from /etc flat files or NIS.
> 
> unpersonnalize and therefore turn into "allows using"

Or we could just make it "allows an LDAP server to...".  But you've
left in a surplus pronoun there.  Okay, make it:

    This package provides a Name Service Switch module that allows an LDAP
    server to provide user account, group, host name, alias, netgroup, and
    basically any other information that would normally be retrieved from NIS
    or flat files in /etc.

("/etc flat files" is the only part of this that still struck me as
subtly unidiomatic English, since the adjective "flat" ought to go
before the attributive noun "/etc".  Mind you, what does "flat" add
that isn't implied by it being a file in /etc?)

>  Package: libpam-ldapd
>  Architecture: any
> @@ -45,27 +43,23 @@
>  Conflicts: libpam-ldap
>  Provides: libpam-ldap
>  Description: PAM module for using LDAP as an authentication service
> - This package provides a Pluggable Authentication Module that allows
> + This package provides a Pluggable Authentication Module that provides
>   user authentication, authorisation and password management based on
>   credentials stored in an LDAP server.
> 
> Let's avoid the "allows" nightmare..:-)

Yes, it's providing these services rather than making them legal.  On
the other hand now we've got two uses of "provides" in the first line.
How about "supports"?

s/isation/ization,/
-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package

diff -ru nss-pam-ldapd-0.8.13.pristine/debian/control nss-pam-ldapd-0.8.13/debian/control
--- nss-pam-ldapd-0.8.13.pristine/debian/control	2013-03-09 15:02:08.000000000 +0000
+++ nss-pam-ldapd-0.8.13/debian/control	2013-05-17 09:49:39.749070433 +0100
@@ -2,8 +2,9 @@
 Section: admin
 Priority: extra
 Maintainer: Arthur de Jong <adejong@debian.org>
+Uploaders: Richard A Nelson (Rick) <cowboy@debian.org>
 Standards-Version: 3.9.4
-Build-Depends: debhelper (>=9), autotools-dev, libkrb5-dev, libldap2-dev, libsasl2-dev, po-debconf (>= 0.5.0), docbook2x, docbook-xml, libpam0g-dev
+Build-Depends: debhelper (>=9), libkrb5-dev, libldap2-dev, libsasl2-dev, po-debconf (>= 0.5.0), docbook2x, docbook-xml, libpam0g-dev
 Homepage: http://arthurdejong.org/nss-pam-ldapd/
 Vcs-Svn: http://arthurdejong.org/svn/nss-pam-ldapd/debian/nss-pam-ldapd/trunk/
 Vcs-Browser: http://arthurdejong.org/viewvc/nss-pam-ldapd/debian/nss-pam-ldapd/trunk/
@@ -16,12 +17,10 @@
 Suggests: kstart
 Replaces: libnss-ldapd (<< 0.7.0)
 Breaks: libnss-ldapd (<< 0.7.0)
-Description: Daemon for NSS and PAM lookups using LDAP
- This package provides a daemon for retrieving user account, and other
- system information from LDAP.
- .
- It is used by the libnss-ldapd and libpam-ldapd packages but by itself is
- not very useful.
+Description: daemon for NSS and PAM lookups using LDAP
+ This package provides a daemon for retrieving user accounts and similar
+ system information from LDAP. It is used by the libnss-ldapd and
+ libpam-ldapd packages but is not very useful by itself.
 
 Package: libnss-ldapd
 Architecture: any
@@ -31,10 +30,10 @@
 Conflicts: libnss-ldap
 Provides: libnss-ldap
 Description: NSS module for using LDAP as a naming service
- This package provides a Name Service Switch module that allows your LDAP
+ This package provides a Name Service Switch module that allows an LDAP
  server to provide user account, group, host name, alias, netgroup, and
- basically any other information that you would normally get from /etc flat
- files or NIS.
+ basically any other information that would normally be retrieved from NIS
+ or flat files in /etc.
 
 Package: libpam-ldapd
 Architecture: any
@@ -44,6 +43,22 @@
 Conflicts: libpam-ldap
 Provides: libpam-ldap
 Description: PAM module for using LDAP as an authentication service
- This package provides a Pluggable Authentication Module that allows
- user authentication, authorisation and password management based on
+ This package provides a Pluggable Authentication Module that supports
+ user authentication, authorization, and password management based on
  credentials stored in an LDAP server.
+
+Package: pynslcd
+Description: daemon for NSS and PAM lookups via LDAP - Python version
+ This package provides a daemon for retrieving user account and similar
+ system information from LDAP. It is used by the libnss-ldapd and
+ libpam-ldapd packages but is not very useful by itself.
+ .
+ This is an alternative Python implementation of nslcd. Note that it is
+ currently EXPERIMENTAL and has not undergone the same testing as nslcd.
+
+Package: nslcd-utils
+Description: utilities for querying LDAP via nslcd
+ This package provides tools to query and update information in LDAP
+ via nslcd:
+  * chsh.ldap - change a user's shell in LDAP;
+  * getent.ldap - perform LDAP lookups bypassing nsswitch configuration.
diff -ru nss-pam-ldapd-0.8.13.pristine/debian/libnss-ldapd.templates nss-pam-ldapd-0.8.13/debian/libnss-ldapd.templates
--- nss-pam-ldapd-0.8.13.pristine/debian/libnss-ldapd.templates	2012-01-20 16:05:16.000000000 +0000
+++ nss-pam-ldapd-0.8.13/debian/libnss-ldapd.templates	2013-05-17 09:30:03.512396301 +0100
@@ -2,7 +2,7 @@
 Type: multiselect
 Choices: aliases, ethers, group, hosts, netgroup, networks, passwd, protocols, rpc, services, shadow
 _Description: Name services to configure:
- For this package to work, you need to modify your /etc/nsswitch.conf to use
+ For this package to work, you need to modify the /etc/nsswitch.conf file to use
  the ldap datasource.
  .
  You can select the services that should have LDAP lookups enabled. The
diff -ru nss-pam-ldapd-0.8.13.pristine/debian/nslcd.templates nss-pam-ldapd-0.8.13/debian/nslcd.templates
--- nss-pam-ldapd-0.8.13.pristine/debian/nslcd.templates	2012-11-11 15:08:18.000000000 +0000
+++ nss-pam-ldapd-0.8.13/debian/nslcd.templates	2013-05-17 09:30:01.064469717 +0100
@@ -32,19 +32,19 @@
 Template: nslcd/ldap-binddn
 Type: string
 _Description: LDAP database user:
- Enter the name of the account that will be used to log in to the LDAP
+ Please enter the name of the account that will be used to log in to the LDAP
  database. This value should be specified as a DN (distinguished name).
 
 Template: nslcd/ldap-bindpw
 Type: password
 _Description: LDAP user password:
- Enter the password that will be used to log in to the LDAP database.
+ Please enter the password that will be used to log in to the LDAP database.
 
 Template: nslcd/ldap-sasl-mech
 Type: select
 Choices: auto, LOGIN, PLAIN, NTLM, CRAM-MD5, DIGEST-MD5, SCRAM, GSSAPI, SKEY, OTP, EXTERNAL
 _Description: SASL mechanism to use:
- Choose the SASL mechanism that will be used to authenticate to the LDAP
+ Please choose the SASL mechanism that will be used to authenticate to the LDAP
  database:
  .
   * auto: auto-negotiation;
@@ -53,27 +53,27 @@
   * NTLM: NT LAN Manager authentication mechanism;
   * CRAM-MD5: challenge-response scheme based on HMAC-MD5;
   * DIGEST-MD5: HTTP Digest compatible challenge-response scheme;
-  * SCRAM: a salted challenge-response mechanism;
+  * SCRAM: salted challenge-response mechanism;
   * GSSAPI: used for Kerberos;
-  * SKEY: an S/KEY mechanism (obsoleted by OTP);
-  * OTP: a One Time Password mechanism;
+  * SKEY: S/KEY mechanism (obsoleted by OTP);
+  * OTP: One Time Password mechanism;
   * EXTERNAL: authentication is implicit in the context.
 
 Template: nslcd/ldap-sasl-realm
 Type: string
 _Description: SASL realm:
- Enter the SASL realm that will be used to authenticate to the LDAP
+ Please enter the SASL realm that will be used to authenticate to the LDAP
  database.
  .
  The realm is appended to authentication and authorization identities.
  .
- For GSSAPI this can be left blank to use information from the Kerberos
- credential cache.
+ For GSSAPI, this can be left blank to use information from the Kerberos
+ credentials cache.
 
 Template: nslcd/ldap-sasl-authcid
 Type: string
 _Description: SASL authentication identity:
- Enter the SASL authentication identity that will be used to authenticate to
+ Please enter the SASL authentication identity that will be used to authenticate to
  the LDAP database.
  .
  This is the login used in LOGIN, PLAIN, CRAM-MD5, and DIGEST-MD5 mechanisms.
@@ -81,7 +81,7 @@
 Template: nslcd/ldap-sasl-authzid
 Type: string
 _Description: SASL proxy authorization identity:
- Enter the proxy authorization identity that will be used to authenticate to
+ Please enter the proxy authorization identity that will be used to authenticate to
  the LDAP database.
  .
  This is the object in the name of which the LDAP request is done.
@@ -90,7 +90,8 @@
 Template: nslcd/ldap-sasl-secprops
 Type: string
 _Description: Cyrus SASL security properties:
- Enter the Cyrus SASL security properties.
+ Please enter the Cyrus SASL security properties.
+ .
  Allowed values are described in the ldap.conf(5) manual page
  in the SASL OPTIONS section.
 
@@ -98,7 +99,7 @@
 Type: string
 Default: /var/run/nslcd/nslcd.tkt
 _Description: Kerberos credential cache file path:
- Enter the GSSAPI/Kerberos credential cache file name that will be used.
+ Please enter the GSSAPI/Kerberos credential cache file name that will be used.
 
 Template: nslcd/ldap-starttls
 Type: boolean
@@ -118,7 +119,7 @@
   * allow: a certificate will be requested, but it is not
            required or checked;
   * try: a certificate will be requested and checked, but if no
-         certificate is provided it is ignored;
+         certificate is provided, it is ignored;
   * demand: a certificate will be requested, required, and checked.
  .
  If certificate checking is enabled, at least one of the tls_cacertdir or

Source: nss-pam-ldapd
Section: admin
Priority: extra
Maintainer: Arthur de Jong <adejong@debian.org>
Uploaders: Richard A Nelson (Rick) <cowboy@debian.org>
Standards-Version: 3.9.4
Build-Depends: debhelper (>=9), libkrb5-dev, libldap2-dev, libsasl2-dev, po-debconf (>= 0.5.0), docbook2x, docbook-xml, libpam0g-dev
Homepage: http://arthurdejong.org/nss-pam-ldapd/
Vcs-Svn: http://arthurdejong.org/svn/nss-pam-ldapd/debian/nss-pam-ldapd/trunk/
Vcs-Browser: http://arthurdejong.org/viewvc/nss-pam-ldapd/debian/nss-pam-ldapd/trunk/

Package: nslcd
Architecture: any
Multi-Arch: foreign
Depends: ${misc:Depends}, ${shlibs:Depends}, adduser
Recommends: nscd, libnss-ldapd | libnss-ldap, libpam-ldapd | libpam-ldap | libpam-krb5 | libpam-heimdal | libpam-sss, ldap-utils, bind9-host | host
Suggests: kstart
Replaces: libnss-ldapd (<< 0.7.0)
Breaks: libnss-ldapd (<< 0.7.0)
Description: daemon for NSS and PAM lookups using LDAP
 This package provides a daemon for retrieving user accounts and similar
 system information from LDAP. It is used by the libnss-ldapd and
 libpam-ldapd packages but is not very useful by itself.

Package: libnss-ldapd
Architecture: any
Multi-Arch: same
Pre-Depends: ${misc:Pre-Depends}
Depends: ${misc:Depends}, ${shlibs:Depends}, nslcd (>= 0.7.0)
Conflicts: libnss-ldap
Provides: libnss-ldap
Description: NSS module for using LDAP as a naming service
 This package provides a Name Service Switch module that allows an LDAP
 server to provide user account, group, host name, alias, netgroup, and
 basically any other information that would normally be retrieved from NIS
 or flat files in /etc.

Package: libpam-ldapd
Architecture: any
Multi-Arch: same
Pre-Depends: ${misc:Pre-Depends}
Depends: ${misc:Depends}, ${shlibs:Depends}, nslcd, libpam-runtime (>= 1.0.1-6), libpam0g (>= 1.1.3-2)
Conflicts: libpam-ldap
Provides: libpam-ldap
Description: PAM module for using LDAP as an authentication service
 This package provides a Pluggable Authentication Module that supports
 user authentication, authorization, and password management based on
 credentials stored in an LDAP server.

Package: pynslcd
Description: daemon for NSS and PAM lookups via LDAP - Python version
 This package provides a daemon for retrieving user account and similar
 system information from LDAP. It is used by the libnss-ldapd and
 libpam-ldapd packages but is not very useful by itself.
 .
 This is an alternative Python implementation of nslcd. Note that it is
 currently EXPERIMENTAL and has not undergone the same testing as nslcd.

Package: nslcd-utils
Description: utilities for querying LDAP via nslcd
 This package provides tools to query and update information in LDAP
 via nslcd:
  * chsh.ldap - change a user's shell in LDAP;
  * getent.ldap - perform LDAP lookups bypassing nsswitch configuration.

Template: libnss-ldapd/nsswitch
Type: multiselect
Choices: aliases, ethers, group, hosts, netgroup, networks, passwd, protocols, rpc, services, shadow
_Description: Name services to configure:
 For this package to work, you need to modify the /etc/nsswitch.conf file to use
 the ldap datasource.
 .
 You can select the services that should have LDAP lookups enabled. The
 new LDAP lookups will be added as the last datasource. Be sure to review
 these changes.

Template: libnss-ldapd/clean_nsswitch
Type: boolean
Default: false
_Description: Remove LDAP from nsswitch.conf now?
 The following services are still configured to use LDAP for lookups:
   ${services}
 but the libnss-ldapd package is about to be removed.
 .
 You are advised to remove the entries if you don't plan on using LDAP for
 name resolution any more. Not removing ldap from nsswitch.conf should, for
 most services, not cause problems, but host name resolution could be affected
 in subtle ways.
 .
 You can edit /etc/nsswitch.conf by hand or choose to remove the entries
 automatically now. Be sure to review the changes to /etc/nsswitch.conf if you
 choose to remove the entries now.

Template: nslcd/ldap-uris
Type: string
_Description: LDAP server URI:
 Please enter the Uniform Resource Identifier of the LDAP server. The format
 is "ldap://<hostname_or_IP_address>:<port>/". Alternatively, "ldaps://" or
 "ldapi://" can be used. The port number is optional.
 .
 When using an ldap or ldaps scheme it is recommended to use an IP address to
 avoid failures when domain name services are unavailable.
 .
 Multiple URIs can be separated by spaces.

Template: nslcd/ldap-base
Type: string
_Description: LDAP server search base:
 Please enter the distinguished name of the LDAP search base. Many sites use
 the components of their domain names for this purpose. For example, the
 domain "example.net" would use "dc=example,dc=net" as the distinguished name
 of the search base.

Template: nslcd/ldap-auth-type
Type: select
__Choices: none, simple, SASL
_Description: LDAP authentication to use:
 Please choose what type of authentication the LDAP database should
 require (if any):
 .
  * none: no authentication;
  * simple: simple bind DN and password authentication;
  * SASL: any Simple Authentication and Security Layer mechanism.

Template: nslcd/ldap-binddn
Type: string
_Description: LDAP database user:
 Please enter the name of the account that will be used to log in to the LDAP
 database. This value should be specified as a DN (distinguished name).

Template: nslcd/ldap-bindpw
Type: password
_Description: LDAP user password:
 Please enter the password that will be used to log in to the LDAP database.

Template: nslcd/ldap-sasl-mech
Type: select
Choices: auto, LOGIN, PLAIN, NTLM, CRAM-MD5, DIGEST-MD5, SCRAM, GSSAPI, SKEY, OTP, EXTERNAL
_Description: SASL mechanism to use:
 Please choose the SASL mechanism that will be used to authenticate to the LDAP
 database:
 .
  * auto: auto-negotiation;
  * LOGIN: deprecated in favor of PLAIN;
  * PLAIN: simple cleartext password mechanism;
  * NTLM: NT LAN Manager authentication mechanism;
  * CRAM-MD5: challenge-response scheme based on HMAC-MD5;
  * DIGEST-MD5: HTTP Digest compatible challenge-response scheme;
  * SCRAM: salted challenge-response mechanism;
  * GSSAPI: used for Kerberos;
  * SKEY: S/KEY mechanism (obsoleted by OTP);
  * OTP: One Time Password mechanism;
  * EXTERNAL: authentication is implicit in the context.

Template: nslcd/ldap-sasl-realm
Type: string
_Description: SASL realm:
 Please enter the SASL realm that will be used to authenticate to the LDAP
 database.
 .
 The realm is appended to authentication and authorization identities.
 .
 For GSSAPI, this can be left blank to use information from the Kerberos
 credentials cache.

Template: nslcd/ldap-sasl-authcid
Type: string
_Description: SASL authentication identity:
 Please enter the SASL authentication identity that will be used to authenticate to
 the LDAP database.
 .
 This is the login used in LOGIN, PLAIN, CRAM-MD5, and DIGEST-MD5 mechanisms.

Template: nslcd/ldap-sasl-authzid
Type: string
_Description: SASL proxy authorization identity:
 Please enter the proxy authorization identity that will be used to authenticate to
 the LDAP database.
 .
 This is the object in the name of which the LDAP request is done.
 This value should be specified as a DN (distinguished name).

Template: nslcd/ldap-sasl-secprops
Type: string
_Description: Cyrus SASL security properties:
 Please enter the Cyrus SASL security properties.
 .
 Allowed values are described in the ldap.conf(5) manual page
 in the SASL OPTIONS section.

Template: nslcd/ldap-sasl-krb5-ccname
Type: string
Default: /var/run/nslcd/nslcd.tkt
_Description: Kerberos credential cache file path:
 Please enter the GSSAPI/Kerberos credential cache file name that will be used.

Template: nslcd/ldap-starttls
Type: boolean
_Description: Use StartTLS?
 Please choose whether the connection to the LDAP server should use
 StartTLS to encrypt the connection.

Template: nslcd/ldap-reqcert
Type: select
__Choices: never, allow, try, demand
_Description: Check server's SSL certificate:
 When an encrypted connection is used, a server certificate can be requested
 and checked. Please choose whether lookups should be configured to require
 a certificate, and whether certificates should be checked for validity:
 .
  * never: no certificate will be requested or checked;
  * allow: a certificate will be requested, but it is not
           required or checked;
  * try: a certificate will be requested and checked, but if no
         certificate is provided, it is ignored;
  * demand: a certificate will be requested, required, and checked.
 .
 If certificate checking is enabled, at least one of the tls_cacertdir or
 tls_cacertfile options must be put in /etc/nslcd.conf.