First Last Prev Next    This bug is not in your last search results.
Bug 56793 - Replace libnss-ldapd with SSSd
Replace libnss-ldapd with SSSd
Status: RESOLVED FIXED
Product: UCS
Classification: Unclassified
Component: General
UCS 5.2
Other Linux
: P5 normal (vote)
: UCS 5.2
Assigned To: Arvid Requate
Felix Botner
:
Depends on: 55995
Blocks:
  Show dependency treegraph
 
Reported: 2023-11-02 16:23 CET by Florian Best
Modified: 2024-04-15 16:58 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): API change
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2023-11-02 16:23:14 CET 
(In reply to Philipp Hahn from Bug #55995 comment #2)
> (In reply to Florian Best from comment #0)
> > We should use libnss-ldapd and libpam-ldapd in favor of libnass-ldap and
> > libpam-nss.
> 
> Why replace one deprecated project "libnss-ldap" only with the next legacy
> project "NSS-PAM-LDAPd" instead of switching to "SSSd" <https://sssd.io/>?
> RedHat, SuSE, Ubuntu are already switched to it several years ago and even
> we already use it ourselves within our domain-join-assisstent
> <https://git.knut.univention.de/univention/univention-domain-join/-/blob/
> ubuntu22.04/univention_domain_join/join_steps/sssd_configurator.py>.
> 
> https://qa.debian.org/popcon.php?package=nss-pam-ldapd
> https://qa.debian.org/popcon.php?package=sssd

+++ This bug was initially created as a clone of Bug #55995 +++

In Debian libnss-ldap has been removed. A replacement is libnss-ldapd.

https://wiki.debian.org/LDAP/NSS
https://arthurdejong.org/nss-pam-ldapd/

(Another alternative would be: https://ae-dir.com/aehostd.html).

We should use libnss-ldapd and libpam-ldapd in favor of libnass-ldap and libpam-nss.
The configuration is done in /etc/nslcd.conf instead of /etc/libnss-ldap.conf and /etc/pam_ldap.conf.

After chaning the /etc/nslcd.conf the service nslcd.service needs to be restarted.

It doesn't provide replacement for the options:
tls_checkpeer (via UCRv nssldap/tls/checkpeer)
bind_policy (via UCRv nssldap/bindpolicy)
nss_srv off (via UCRv nssldap/nss_srv)

There is no explicit pam config anymore, therefor we need to unify the UCR variables "pamldap/auth" and "nssldap/auth".

The config file contains the machine.secret, therefore the permissions needs to be checked by the Diagnostic Plugin "31_file_permissions".
Comment 3 Florian Best univentionstaff 2024-03-08 11:10:03 CET 
The commits so far are:

univention-system-setup (15.0.4)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd
d73096ec28ee | Bug #56793: Unify whitespace in pam config a bit

univention-samba (16.0.3)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd

univention-quota (16.0.3)
d73096ec28ee | Bug #56793: Unify whitespace in pam config a bit

univention-postgresql (14.0.3)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd

univention-pam (15.0.3)
ae6a368b9ae4 | Bug #56793: Fix UMC login
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd
d73096ec28ee | Bug #56793: Unify whitespace in pam config a bit

univention-network-manager (14.0.3)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd

univention-management-console-module-diagnostic (8.0.6)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd

univention-management-console (14.0.3)
ae6a368b9ae4 | Bug #56793: Fix UMC login
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd
d73096ec28ee | Bug #56793: Unify whitespace in pam config a bit

univention-mail-postfix (16.0.3)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd

univention-mail-dovecot (8.0.3)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd

univention-lib (11.0.2)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd

univention-ldap (18.0.4)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd

univention-join (14.0.4)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd

univention-errata-level (5.2.0-0)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd

univention-directory-notifier (16.0.2)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd

univention-directory-manager-modules (10.0.29-10)
r56793 | Bug #33190: Changed the release policy to update policy and adapted

univention-directory-listener (16.0.2)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd

ucs-test (12.0.8)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd

pam-runasroot (13.0.2)
fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd

NONE
4905d98436d2 | ci(utils): adjust kvm templates
Comment 5 Florian Best univentionstaff 2024-03-14 10:29:00 CET 
Changelog entry is missing.
Plus when creating one please remove doc/changelog/staged/changelog-service-pam.55995.rst
Comment 6 Arvid Requate univentionstaff 2024-04-15 16:58:10 CEST 
4905d98436 | ci(utils): adjust kvm templates
9862225897 | Straighten handling of pam_unix.so
4cf8f75938 | Feedback from review
8318ccb6d8 | Also adjust update smtp and imap pam-stacks
ce3db1eb6d | register UCR vars with templates and add changelogs
51999e8536 | Configure sssd to recognize non-POSIX users/ldap accounts
7a9e0a835a | Add UCR adjustable logrotate config for sssd
0b4fea850a | Add changelog details
473d603c38 | Keep pam_succeed_if only for umc account
bc01842fd6 | fixup! Add changelog details
c1efd8228b | Remove the pam_if_succeed hack entirely
First Last Prev Next    This bug is not in your last search results.