Univention Bugzilla – Bug 56793
Replace libnss-ldapd with SSSd
Last modified: 2024-04-15 16:58:10 CEST
(In reply to Philipp Hahn from Bug #55995 comment #2) > (In reply to Florian Best from comment #0) > > We should use libnss-ldapd and libpam-ldapd in favor of libnass-ldap and > > libpam-nss. > > Why replace one deprecated project "libnss-ldap" only with the next legacy > project "NSS-PAM-LDAPd" instead of switching to "SSSd" <https://sssd.io/>? > RedHat, SuSE, Ubuntu are already switched to it several years ago and even > we already use it ourselves within our domain-join-assisstent > <https://git.knut.univention.de/univention/univention-domain-join/-/blob/ > ubuntu22.04/univention_domain_join/join_steps/sssd_configurator.py>. > > https://qa.debian.org/popcon.php?package=nss-pam-ldapd > https://qa.debian.org/popcon.php?package=sssd +++ This bug was initially created as a clone of Bug #55995 +++ In Debian libnss-ldap has been removed. A replacement is libnss-ldapd. https://wiki.debian.org/LDAP/NSS https://arthurdejong.org/nss-pam-ldapd/ (Another alternative would be: https://ae-dir.com/aehostd.html). We should use libnss-ldapd and libpam-ldapd in favor of libnass-ldap and libpam-nss. The configuration is done in /etc/nslcd.conf instead of /etc/libnss-ldap.conf and /etc/pam_ldap.conf. After chaning the /etc/nslcd.conf the service nslcd.service needs to be restarted. It doesn't provide replacement for the options: tls_checkpeer (via UCRv nssldap/tls/checkpeer) bind_policy (via UCRv nssldap/bindpolicy) nss_srv off (via UCRv nssldap/nss_srv) There is no explicit pam config anymore, therefor we need to unify the UCR variables "pamldap/auth" and "nssldap/auth". The config file contains the machine.secret, therefore the permissions needs to be checked by the Diagnostic Plugin "31_file_permissions".
The commits so far are: univention-system-setup (15.0.4) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd d73096ec28ee | Bug #56793: Unify whitespace in pam config a bit univention-samba (16.0.3) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd univention-quota (16.0.3) d73096ec28ee | Bug #56793: Unify whitespace in pam config a bit univention-postgresql (14.0.3) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd univention-pam (15.0.3) ae6a368b9ae4 | Bug #56793: Fix UMC login fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd d73096ec28ee | Bug #56793: Unify whitespace in pam config a bit univention-network-manager (14.0.3) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd univention-management-console-module-diagnostic (8.0.6) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd univention-management-console (14.0.3) ae6a368b9ae4 | Bug #56793: Fix UMC login fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd d73096ec28ee | Bug #56793: Unify whitespace in pam config a bit univention-mail-postfix (16.0.3) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd univention-mail-dovecot (8.0.3) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd univention-lib (11.0.2) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd univention-ldap (18.0.4) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd univention-join (14.0.4) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd univention-errata-level (5.2.0-0) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd univention-directory-notifier (16.0.2) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd univention-directory-manager-modules (10.0.29-10) r56793 | Bug #33190: Changed the release policy to update policy and adapted univention-directory-listener (16.0.2) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd ucs-test (12.0.8) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd pam-runasroot (13.0.2) fdd7b598628f | Bug #56793: Replace libnss-ldapd with SSSd NONE 4905d98436d2 | ci(utils): adjust kvm templates
Failed test cases: https://univention-dist-jenkins.k8s.knut.univention.de/job/UCS-5.2/job/UCS-5.2-0/job/AutotestJoin/SambaVersion=s4,Systemrolle=master/lastCompletedBuild/testReport/59_udm/61_test_udm_users/test_simpleauthaccount_authentication/ https://univention-dist-jenkins.k8s.knut.univention.de/job/UCS-5.2/job/UCS-5.2-0/job/AutotestJoin/SambaVersion=s4,Systemrolle=master/lastCompletedBuild/testReport/60_umc.104_expired_password/TestPwdChangeNextLogin/test_expired_password_detection_modify_pwdchangenextlogin_options0_/ https://univention-dist-jenkins.k8s.knut.univention.de/job/UCS-5.2/job/UCS-5.2-0/job/AutotestJoin/SambaVersion=s4,Systemrolle=master/lastCompletedBuild/testReport/60_umc.104_expired_password/TestLDAPUsers/test_ldap_pwd_user_umc_authentication/ https://univention-dist-jenkins.k8s.knut.univention.de/job/UCS-5.2/job/UCS-5.2-0/job/AutotestJoin/SambaVersion=s4,Systemrolle=master/lastCompletedBuild/testReport/60_umc/32_udm_nonposix_user_actions/master091/
Changelog entry is missing. Plus when creating one please remove doc/changelog/staged/changelog-service-pam.55995.rst
4905d98436 | ci(utils): adjust kvm templates 9862225897 | Straighten handling of pam_unix.so 4cf8f75938 | Feedback from review 8318ccb6d8 | Also adjust update smtp and imap pam-stacks ce3db1eb6d | register UCR vars with templates and add changelogs 51999e8536 | Configure sssd to recognize non-POSIX users/ldap accounts 7a9e0a835a | Add UCR adjustable logrotate config for sssd 0b4fea850a | Add changelog details 473d603c38 | Keep pam_succeed_if only for umc account bc01842fd6 | fixup! Add changelog details c1efd8228b | Remove the pam_if_succeed hack entirely