libpam-ldap should share openldap's configuration mechanism

Bug #1078102 reported by Peter Häring on 2012-11-12
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libpam-ldap (Ubuntu)
Medium
Unassigned
openldap (Ubuntu)
Medium
Unassigned

Bug Description

Ubuntu Server 12.04

There is a file /etc/ldap.conf, where for example you can specify the Location of Certificates for ssl/tls operation of ldap utilities like ldapsearch. But it turns out, that (at least ldapsearch) doesn't read /etc/ldap.conf, but /etc/ldap/ldap.conf, which is not present on the system.

Some articles on the Web say, that /etc/ldap/ldap.conf is for the ldap utilites, /etc/ldap.conf for pam operation with ldap.
I did a symbolic link /etc/ldap/ldap.conf -> /etc/ldap.conf. After that ldapsearch works with ssl/tls.
I don't know, whether pam needs a different ldap.conf, or can that symbolic link do a good job for most usersß

Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

It is certainly confusing that PAM uses /etc/ldap.conf whereas openldap uses /etc/ldap/ldap.conf. But it isn't clear to me that these two files are actually of the same format, or that it is guaranteed that one is a superset of the other.

The pam_ldap(5) manpage says:

       pam_ldap stores its configuration in the ldap.conf file. (It should
       be noted that some LDAP client libraries, such as OpenLDAP, also
       use a configuration file of the same name. pam_ldap supports many
       of the same configuration file options as OpenLDAP, but it adds
       several that are specific to the functionality it provides. It is
       not guaranteed that pam_ldap will continue to match the configura‐
       tion file semantics of OpenLDAP. You may wish to use different
       files.)

I think that doing something such as your symlink would have unintended consequences, so I'm not sure that a fix for the general case is trivial. And any change would best be coordinated with Debian.

affects: openldap (Ubuntu) → libpam-ldap (Ubuntu)
Changed in libpam-ldap (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
summary: - /etc/ldap/ldap.conf missing
+ libpam-ldap should share openldap's configuration file
summary: - libpam-ldap should share openldap's configuration file
+ libpam-ldap should share openldap's configuration mechanism
Changed in openldap (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers