libnss-ldap should not depend on libpam-ldap

Bug #1016592 reported by Cédric Dufour on 2012-06-22
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libnss-ldap (Ubuntu)

Bug Description

On Ubuntu 12.04, libnss-ldap (264-2.2ubuntu2) should not depend on libpam-ldap (via ldap-auth-config and ldap-auth-client).

Currently, if one installs libnss-ldap, libpam-ldap also gets installed through dependencies.

Installing LDAP name services does not - should not, actually - imply requiring authentication via LDAP.
On Debian, there is no such dependency.

Thank you for considering this suggestion.



Related branches

Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

libnss-ldap recommends libpam-ldap, which is the same as on Debian. On Ubuntu, recommendations are installed by default, but you can override this with apt-get --no-install-recommends.

As such, I'm closing this bug as Invalid. I suppose Ubuntu could relegate this recommends to a suggests, but I'm not sure this is necessary. Please set back to New with more discussion if you disagree.

Changed in libnss-ldap (Ubuntu):
status: New → Invalid

Thanks for your answer.

We actually have "install-recommends" disabled in /etc/apt/apt.conf.d

If you look closely, you will see that libnss-lap depends on ldap-auth-config, which in turn depends on ldap-auth-client, which in turn depends on libpam-ldap (thus the indirect dependency).

Debian has no such ldap-auth-config package (and thus dependencies).

In the end, maybe the problem lies more with the ldap-auth-config itself depending on ldap-auth-client. I understand the ldap-auth-config allows the seeding of the debcond database with the appropriate LDAP parameters for libnss-ldap to work. So maybe the the issue should be addressed at the level (by the maintainers) of the ldap-auth-config package rather than linnss-ldap's. Your call.



Changed in libnss-ldap (Ubuntu):
status: Invalid → Opinion
Robie Basak (racb) wrote :


Sorry. I saw "Recommends: libpam-ldap" on libnss-ldap and assumed that it was the recommends, without considering that there may be an indirect Depends route.

Looking at what ldap-auth-config does, I think it would make sense for libnss-ldap to recommend ldap-auth-config instead of depend on it. I'd like a second opinion on this though.

Changed in libnss-ldap (Ubuntu):
status: Opinion → New
Robie Basak (racb) wrote :

And I just realised that you pointed out the indirect route, too. My apologies again.

Robie Basak (racb) on 2012-06-22
Changed in libnss-ldap (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libnss-ldap - 264-2.2ubuntu3

libnss-ldap (264-2.2ubuntu3) quantal; urgency=low

  * Change dependency on ldap-auth-config to a recommendation only, since
    using LDAP name services does not automatically mean that authentication
    must be via LDAP (LP: #1016592).
 -- Robie Basak <email address hidden> Fri, 22 Jun 2012 22:09:08 +0100

Changed in libnss-ldap (Ubuntu):
status: Triaged → Fix Released

Thanks for that change. Cheers. Cédric

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers