Sync to Debian for -ldap, drop Ubuntu's -auth-client

Hi Brian,
I wondered are you driving all of this or are you just reporting and expect us to do that?

Hi Christian,
I'm not sure it's possible to do syncs with how inter dependent the packages are in the Ubuntu versions. I was planning to give it a try this week. If you've got a clear idea of how we should do this, feel free to drive. I was just reporting it as something that I would like to get to.

Have a PPA to try with: https://launchpad.net/~bryanquigley/+archive/ubuntu/ldap954-take3
(Just did debian-pull-source, then changed last changelog entry to zesty so could test in PPA - but version number hasn't changed, debuild -S -sa, then upload.)

Packages replace the old ones fine (it does prompt for LDAP questions again, but I think that's ok).
If you previously did sudo apt install libnss-ldap (http://pastebin.ubuntu.com/23660760/)
If you previously did sudo apt install ldap-auth-config (http://pastebin.ubuntu.com/23660776/)

They don't have conflicts, so it looks like we can go for the 'easy' route

Looking at this now, I'm thinking this should wait until 17.10 opens (a little too late in the 17.04 cycle to make this switch).

@mterry Agreed, it's a bit to late now, find to wait for 17.10.

I would subscribe ~ubuntu-archive to this and ask for some AA help if there is going to need to be done in a side PPA.

This should be higher than Wishlist. Many who install Ubuntu's -auth-client packages get a subpar experience.

We have two big diffs regarding debian:
- we use upstream's /etc/ldap.{conf,secret}; debian uses /etc/pam_ldap{.conf,secret} for pam, and /etc/libnss-ldap.{conf,secret} for nss
- we use ldap-auth-config for configuration, whereas debian uses plain debconf inside each package (pam and nss)

This bug is about the second item above, right? What are your thoughts about the migration of debconf data from ldap-auth-config back into the pam/nss packages?

This bug is about reverting the full set of Ubuntu changes in these packages (they are intrinsically tied to the Ubuntu specific packages that have been unmaintained for quite some time now). As Ubuntu no longer recommends them (we strongly recommend and only support SSSD instead), my thinking is we should revert fully to what Debian has*.

>What are your thoughts about the migration of debconf data from ldap-auth-config back into the pam/nss packages?
If possible, that's great. I was nervous about corner cases so prompting seemed fine (and was what a sync would do by default).

* I wanted to aim for a Sync because I don't believe these packages are likely to get more attention in Ubuntu as we are strongly pushing in another direction. But that way if people do use them they get the latest fixed from Debian.

Off the top of my head, I think the config file change is more problematic and less desirable:
- we are following upstream here by using /etc/ldap.{conf,secret}
- if we go back to adopting debian's patch, that means more config files for the user to change: /etc/libpam-ldap.{conf,secret} and /etc/libnss-ldap.{conf,secret}. 4 in total, with duplicated information
- this complicates the upgrade path: two config files need to be split into 4
- honestly, I believe upstream is correct here

Do you have rewritten documentation or a guide that shows how to use sssd? Out of the box it doesn't work, for example. It doesn't even have a config file to start with. Ideally we should have a wizard for it, or debconf questions, just like we have today for lib{nss,pam}-ldap.

Anyway, this bug is not the right forum to discuss it :) Could you start a thread in the ubuntu-server@ mailing list perhaps?

Thanks Andreas for explaining.

I do see we have a guide for sssd to AD (https://help.ubuntu.com/dev/serverguide/sssd-ad.html) but the docs currently do point to libnss-ldap - I'll look at updating the docs to SSSD before proceeding with this bug.

The docs have been updated to no longer reference libnss-ldap: https://help.ubuntu.com/lts/serverguide/sssd-ad.html

It appears the SSSD docs have also been improved. Will see about revisiting the rest of this bug.