Univention Bugzilla – Bug 55995
Replace libnss-ldap with libnss-ldapd
Last modified: 2024-03-08 10:37:43 CET
In Debian libnss-ldap has been removed. A replacement is libnss-ldapd. https://wiki.debian.org/LDAP/NSS https://arthurdejong.org/nss-pam-ldapd/ (Another alternative would be: https://ae-dir.com/aehostd.html). We should use libnss-ldapd and libpam-ldapd in favor of libnass-ldap and libpam-nss. The configuration is done in /etc/nslcd.conf instead of /etc/libnss-ldap.conf and /etc/pam_ldap.conf. After chaning the /etc/nslcd.conf the service nslcd.service needs to be restarted. It doesn't provide replacement for the options: tls_checkpeer (via UCRv nssldap/tls/checkpeer) bind_policy (via UCRv nssldap/bindpolicy) nss_srv off (via UCRv nssldap/nss_srv) There is no explicit pam config anymore, therefor we need to unify the UCR variables "pamldap/auth" and "nssldap/auth". The config file contains the machine.secret, therefore the permissions needs to be checked by the Diagnostic Plugin "31_file_permissions".
*** Bug 55823 has been marked as a duplicate of this bug. ***
(In reply to Florian Best from comment #0) > We should use libnss-ldapd and libpam-ldapd in favor of libnass-ldap and > libpam-nss. Why replace one deprecated project "libnss-ldap" only with the next legacy project "NSS-PAM-LDAPd" instead of switching to "SSSd" <https://sssd.io/>? RedHat, SuSE, Ubuntu are already switched to it several years ago and even we already use it ourselves within our domain-join-assisstent <https://git.knut.univention.de/univention/univention-domain-join/-/blob/ubuntu22.04/univention_domain_join/join_steps/sssd_configurator.py>. https://qa.debian.org/popcon.php?package=nss-pam-ldapd https://qa.debian.org/popcon.php?package=sssd
(In reply to Florian Best from Bug 55823 comment #1) > Moved the not-applyable patches: > r19872 | Bug #55823: libnss-ldap → nss-pam-ldapd This broke repo-debmirror as these patches from `libnss-ldap` do NOT apply to `nss-pam-ldapd` and building it fails. Therefore I removed the patches again. If you need them (or a variant thereof) revert [main] aef3b481f fix(nss-pam-ldapd): Remove unapplied patches nss-pam-ldapd/ucs_5.2-0/0.9.12-3/20_memberuid.quilt | 31 -------------- nss-pam-ldapd/ucs_5.2-0/0.9.12-3/40_bug30779.patch | 18 -------- nss-pam-ldapd/ucs_5.2-0/0.9.12-3/40_bug30779.quilt | 93 ----------------------------------------- nss-pam-ldapd/ucs_5.2-0/0.9.12-4/20_memberuid.quilt | 31 -------------- nss-pam-ldapd/ucs_5.2-0/0.9.12-4/40_bug30779.patch | 18 -------- nss-pam-ldapd/ucs_5.2-0/0.9.12-4/40_bug30779.quilt | 93 ----------------------------------------- 6 files changed, 284 deletions(-)
(In reply to Florian Best from comment #0) > nss_srv off (via UCRv nssldap/nss_srv) That is as UCS specific hack added by 40_bug30779.{patch,quilt}
Interaction with nscd may need attention https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/usingnscd-sssd - Maybe we can keep nscd, we just need to know that 1. caching works for getent style lookups (so that slapd is not hit each time) and 2. what caches we need to flush in script or support case etc.
(In reply to Arvid Requate from comment #5) > Interaction with nscd may need attention > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ > html/system-level_authentication_guide/usingnscd-sssd - Maybe we can keep > nscd, we just need to know that 1. caching works for getent style lookups > (so that slapd is not hit each time) and 2. what caches we need to flush in > script or support case etc. /etc/nscd.conf says: # WARNING: Running nscd with a secondary caching service like sssd may lead to # unexpected behaviour, especially with how long entries are cached.
(In reply to Philipp Hahn from comment #2) > (In reply to Florian Best from comment #0) > > We should use libnss-ldapd and libpam-ldapd in favor of libnass-ldap and > > libpam-nss. > > Why replace one deprecated project "libnss-ldap" only with the next legacy > project "NSS-PAM-LDAPd" instead of switching to "SSSd" <https://sssd.io/>? → Outsourced into Bug #56793 The current changes are ready to QA since a long time. Maybe we have time to switch to SSSd in UCS 5.2, but we need to make a PoC.
OK: Libnss-ldapd authentication works OK: Tests Verified Switching to sssd is handled at another bug.
univention-pam (14.0.4) a0954cc96eef | feat(NSS): replace libnss-ldap with nss-pam-ldapd univention-management-console-module-diagnostic (7.0.4) a0954cc96eef | feat(NSS): replace libnss-ldap with nss-pam-ldapd univention-errata-level (5.1.0-0) a0954cc96eef | feat(NSS): replace libnss-ldap with nss-pam-ldapd