pam_ldap by default tries to use /etc/ldap.conf when authenticating someone. However openldap puts ldap.conf in /etc/openldap. This little patch below I believe will fix things, basically it just utilizes --with-ldap-conf during the configure stage. --- pam_ldap-180.ebuild 2005-12-19 15:06:43.000000000 -0500 +++ pam_ldap-180.ebuild.patched 2005-12-19 15:06:34.000000000 -0500 @@ -28,7 +28,7 @@ } src_compile() { - econf --with-ldap-lib=openldap `use_enable ssl` || die + econf --with-ldap-conf-file=/etc/openldap/ldap.conf --with-ldap-lib=openldap `use_enable ssl` || die emake || die }
I'm not in this herd so I probably shouldn't do this BUT .. i'm 100% confident about this issue as the openldap maintainer. THe openldap /etc/openldap/ldap.conf is a completely different configuration file, its for the use of command line tools for openldap. The /etc/ldap.conf is for the pam ldap configuration. The two are different and should remain different, your patch breaks the correct behaviour.
(In reply to comment #1) > I'm not in this herd so I probably shouldn't do this BUT .. i'm 100% confident > about this issue as the openldap maintainer. THe openldap > /etc/openldap/ldap.conf is a completely different configuration file, its for > the use of command line tools for openldap. The /etc/ldap.conf is for the pam > ldap configuration. The two are different and should remain different, your > patch breaks the correct behaviour. > Hold on there ... you're 100% confident? # ldd /lib/security/pam_ldap.so linux-gate.so.1 => (0xffffe000) libldap-2.2.so.7 => /usr/lib/libldap-2.2.so.7 (0xb7ecb000) liblber-2.2.so.7 => /usr/lib/liblber-2.2.so.7 (0xb7ebe000) libnsl.so.1 => /lib/libnsl.so.1 (0xb7ea9000) libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7e7b000) libresolv.so.2 => /lib/libresolv.so.2 (0xb7e67000) libpam.so.0 => /lib/libpam.so.0 (0xb7e5f000) libdl.so.2 => /lib/libdl.so.2 (0xb7e5a000) libc.so.6 => /lib/libc.so.6 (0xb7d43000) libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0xb7d12000) libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0xb7c0e000) /lib/ld-linux.so.2 (0x80000000) # equery belongs /usr/lib/libldap-2.2.so.7 [ Searching for file(s) /usr/lib/libldap-2.2.so.7 in *... ] net-nds/openldap-2.2.28-r3 (/usr/lib/libldap-2.2.so.7 -> libldap-2.2.so.7.0.21) So it seems as if pam_ldap depends on openldap. Browsing the pam_ldap ebuild confirms this. So if pam_ldap uses client services from openldap its config file needs to be 100% compatible with openldap. Ergo my patch.
No. The fact that both files are named 'ldap.conf' is entirely irrelevant. The pam/nss_ldap code just happens to use a very similar simple parser, and settings of the same name, because that's what the settings are named in the LDAP standards. There are a number of configurations that require the files be seperate, because they would otherwise conflict - namely revolving around having nss/pam using a different binddn than the client software uses by default. If your configuration works with /etc/ldap.conf having the same contents as /etc/openldap/ldap.conf, then symlink /etc/ldap.conf to /etc/openldap/ldap.conf on your system. Another significent disadvantage to having them both in the same file is that we need to maintain two packages containing the nss_ldap variant ldap.conf file, so that admins can see all the sample comments for configuration.
Your logic is also faulty. "So it seems as if pam_ldap depends on openldap. Browsing the pam_ldap ebuild confirms this. So if pam_ldap uses client services from openldap its config file needs to be 100% compatible with openldap." This is: "So it seems as if PKGA on PKGB. Browsing the PKGA ebuild confirms this. So if PKGA uses client services from PKGB its config file needs to be 100% compatible with PKGB." Now substitution gvim for PKGA, and gnome for PKGB, and you'll see that your logic doesn't work.