Ubuntu
openldap package

libpam-ldap should share openldap's configuration mechanism

Bug #1078102 reported by Peter Häring
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libpam-ldap (Ubuntu)
Triaged
Medium
Unassigned
openldap (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

Ubuntu Server 12.04

There is a file /etc/ldap.conf, where for example you can specify the Location of Certificates for ssl/tls operation of ldap utilities like ldapsearch. But it turns out, that (at least ldapsearch) doesn't read /etc/ldap.conf, but /etc/ldap/ldap.conf, which is not present on the system.

Some articles on the Web say, that /etc/ldap/ldap.conf is for the ldap utilites, /etc/ldap.conf for pam operation with ldap.
I did a symbolic link /etc/ldap/ldap.conf -> /etc/ldap.conf. After that ldapsearch works with ssl/tls.
I don't know, whether pam needs a different ldap.conf, or can that symbolic link do a good job for most usersß

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

It is certainly confusing that PAM uses /etc/ldap.conf whereas openldap uses /etc/ldap/ldap.conf. But it isn't clear to me that these two files are actually of the same format, or that it is guaranteed that one is a superset of the other.

The pam_ldap(5) manpage says:

       pam_ldap stores its configuration in the ldap.conf file. (It should
       be noted that some LDAP client libraries, such as OpenLDAP, also
       use a configuration file of the same name. pam_ldap supports many
       of the same configuration file options as OpenLDAP, but it adds
       several that are specific to the functionality it provides. It is
       not guaranteed that pam_ldap will continue to match the configura‐
       tion file semantics of OpenLDAP. You may wish to use different
       files.)

I think that doing something such as your symlink would have unintended consequences, so I'm not sure that a fix for the general case is trivial. And any change would best be coordinated with Debian.

affects: openldap (Ubuntu) → libpam-ldap (Ubuntu)
Changed in libpam-ldap (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
summary: - /etc/ldap/ldap.conf missing
+ libpam-ldap should share openldap's configuration file
summary: - libpam-ldap should share openldap's configuration file
+ libpam-ldap should share openldap's configuration mechanism
Changed in openldap (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.