libnss-ldap and libpam-ldap should use the same configuration file

The first problem that comes to mind is that of maintainer scripts. If pam_* and nss_* keys are in the same file, how do you push updates to libpam-ldap that don't break libnss-ldap? You can no longer rely on the automatic merge tools, but now have to manually add/remove/modify keys by name, and build a parser. It gets complicated.

Having libpam-ldap and libnss-ldap use ldap.conf at all is particularly problematic. ldap.conf it primarily the configuration file for the openldap client utilities developed and maintained by the openldap.org project. libnss-ldap and libpam-ldap are developed by PADL software. They just happen to look at the same file for their config directives (in addition to their own unique files). According to the pam_ldap(5) manpage:

" pam_ldap stores its configuration in the ldap.conf file. (It should be noted that some LDAP client libraries, such as OpenLDAP, also use a configuration file of the same name. pam_ldap supports many of the same configuration file options as OpenLDAP, but it adds several that are specific to the functionality it provides. **It is not guaranteed that pam_ldap will continue to match the configuration file semantics of OpenLDAP**. You may wish to use different files.)"

Having non-openldap related directives in ldap.conf is the subject of much confusion.

I agree with Zach's assessment of this.

However, I believe that, since pam_ldap and nss_ldap do in fact use the OpenLDAP client libraries, they should pull config information from ldap.conf. They should ALSO pull their own config info from their respective files.

This probably would require code modifications to both pam_ldap and nss_ldap, as I suspect there is no provision to point them at two files at the same time.

I believe both of these libraries are already pointed at two simultaneous files.

If I am not mistaken pam_ldap reads from both ldap.conf and pam_ldap.conf, and nss_ldap reads from ldap.conf and libnss-ldap.conf. That is my experience.

Well, libnss-ldap and libpam-ldap can both be compiled with specific configuration files (--with-ldap-conf-file).

Would it work to create a metapackage like ldap-config (much like krb5-config) that controls the configuration /etc/ldap-client.conf or something like that. Then lib{pam,nss}-ldap could depend on this.

Would that adequately separate the OpenLDAP and PADL stuff?

I don't think that they read 2 configuration files, there's only 1 fopen() call in libnss-ldap and libpam-ldap which reads whatever --with-ldap-conf-file was set to (/etc/ldap.conf) if nothing.

I guess openldap's clients use /etc/ldap/ldap.conf, and not /etc/*ldap.conf:

$ strace ldapsearch -x 2>&1 | grep ldap.conf
open("/etc/ldap/ldap.conf", O_RDONLY|O_LARGEFILE) = 3

/etc/ldap/ldap.conf and /etc/libnss-ldap.conf (or pam_ldap.conf) have some slightly different entries, and should not be symlinked.

On the other way, i think there's no problem to use only one file for NSS and PAM. In fact, i already use it, making a link from libnss-ldap.conf to pam_ldap.conf.

To be more precise, we _SHOULD_ be using only one file for these two, just make a head in these two files, and note this line:

"This is the configuration file for the LDAP nameservice switch library and the LDAP PAM module."

This is fixed in Gutsy. The new package ldap-auth-config provides and configures /etc/ldap.conf.

What if one wants to make it so that pam_ldap and nss_ldap bind with different users, for auditing reasons? By combining these two config files, if someone is using simple binds, this is no longer possible.

Additionally, the docs haven't been updated or dependencies, so people upgrading from previous versions will end up with a broken configuration. You're still shipping libnss-ldap.conf, referring to libnss-ldap.conf in the README.Debian etc.

This comes from a user in #ldap who was trying to work out why their new 7.10 install didn't work, as they'd just grabbed libnss-ldap and we were assuming it still used /etc/libnss-ldap.conf.

Quanah: you can specify an alternate configuration file in /etc/pam.d/common-* by adding a config=</path> argument to the pam_ldap.so entry, such as

    auth sufficient pam_ldap.so config=/etc/pam_ldap.conf

This would let you have two separate configurations: /etc/ldap.conf for NSS, and /etc/pam_ldap.conf for PAM.

ldap-auth-config pops up a great big warning, and asks if you want to reconfigure or migrate by hand, if it detects either of the old config files. There are no dependency issues as far as I know. We need specifics if we are to fix and documentation.

Hmm, I could swear the dependancy on ldap-auth-config wasn't there yesterday. So upgraders are ok, but documentation is still wrong - README.Debian in libnss-ldap and libpam-ldap still mentions the old way.