Bug 48017 – Replace pam_ldap, nss_ldap and nscd by nss-pam-ldapd and slapo-nssov

Bug 48017 - Replace pam_ldap, nss_ldap and nscd by nss-pam-ldapd and slapo-nssov


Summary:	Replace pam_ldap, nss_ldap and nscd by nss-pam-ldapd and slapo-nssov

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-10-18 19:29 CEST by Arvid Requate
Modified:	2021-05-03 21:51 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2018-10-18 19:29:34 CEST

https://arthurdejong.org/nss-pam-ldapd/

https://github.com/openldap/openldap/blob/master/contrib/slapd-modules/nssov/slapo-nssov.5  ( https://manned.org/slapo-nssov )

Comment 1 Florian Best

2019-03-13 14:02:47 CET

Could you describe the benefit in one sentence?

Comment 2 Arvid Requate

2019-03-13 14:25:23 CET

Currently /etc/libnss-ldap.conf (and libnss-ldap.secret) must contain bind credentials (machine password) for nss_ldap to work. As far as I understand the documentation of nssov, this would not be necessary any longer because binds happen with user credentials. The drawback would be: It only works against a local running slapd (so you cannot user it on a member server unless yu run a slapd with slapd-ldap config and maybe slapo-pcache there. Which could maybe be an alternative to running nscd).