libpam-ldap should share openldap's configuration mechanism
Bug #1078102 reported by
Peter Häring
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libpam-ldap (Ubuntu) |
Triaged
|
Medium
|
Unassigned | ||
openldap (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
Ubuntu Server 12.04
There is a file /etc/ldap.conf, where for example you can specify the Location of Certificates for ssl/tls operation of ldap utilities like ldapsearch. But it turns out, that (at least ldapsearch) doesn't read /etc/ldap.conf, but /etc/ldap/
Some articles on the Web say, that /etc/ldap/ldap.conf is for the ldap utilites, /etc/ldap.conf for pam operation with ldap.
I did a symbolic link /etc/ldap/ldap.conf -> /etc/ldap.conf. After that ldapsearch works with ssl/tls.
I don't know, whether pam needs a different ldap.conf, or can that symbolic link do a good job for most usersß
To post a comment you must log in.
Thank you for taking the time to report this bug and helping to make Ubuntu better.
It is certainly confusing that PAM uses /etc/ldap.conf whereas openldap uses /etc/ldap/ ldap.conf. But it isn't clear to me that these two files are actually of the same format, or that it is guaranteed that one is a superset of the other.
The pam_ldap(5) manpage says:
pam_ldap stores its configuration in the ldap.conf file. (It should
be noted that some LDAP client libraries, such as OpenLDAP, also
use a configuration file of the same name. pam_ldap supports many
of the same configuration file options as OpenLDAP, but it adds
several that are specific to the functionality it provides. It is
not guaranteed that pam_ldap will continue to match the configura‐
tion file semantics of OpenLDAP. You may wish to use different
files.)
I think that doing something such as your symlink would have unintended consequences, so I'm not sure that a fix for the general case is trivial. And any change would best be coordinated with Debian.