Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 889296

Summary: sys-auth/nss_ldap: removal in favour of sys-auth/nss-pam-ldapd?
Product: Gentoo Linux Reporter: Sam James <sam>
Component: Current packagesAssignee: Gentoo LDAP project <ldap-bugs>
Status: CONFIRMED ---    
Severity: normal CC: chutzpah, prometheanfire, robbat2, treecleaner
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=581306
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 889292, 889294    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-01-01 17:34:13 UTC 
nss-ldap is extremely brittle and has various serious bugs, like bug 581306.

Let's try replace it with sys-auth/nss-pam-ldapd.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2023-01-01 19:49:40 UTC 
I don't object to the overall proposal, but it's NOT a drop-in replacement. We'll need lots of news to users about it.

https://arthurdejong.org/nss-pam-ldapd/README

====
unsupported features
--------------------

Since nss-pam-ldapd was forked from nss_ldap most of the features that came
with nss_ldap are available. The most important differences:
- the configuration file formats are not fully compatible
...
Some things work a little different in nss-pam-ldapd. For instance the
attribute defaults and overrides of nss_ldap are implemented with mapping
expressions and pam_ldap's pam_check_*_attr options can be implemented with
the pam_authz_search option.

====

It will definetly take some porting for all users switching.

Consider this from the infra config:
===
pam_filter           &(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active)
nss_base_passwd      ou=devs,dc=gentoo,dc=org?sub?&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active)
nss_base_shadow      ou=devs,dc=gentoo,dc=org?sub?&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active)
nss_base_group       ou=groups,dc=gentoo,dc=org?one?&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org)

===


I don't see a fast 1:1 mapping of those into the nslcd.conf.

Also, I found this buried comment that outright scares me:
https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5
"If the LDAP server is unavailable during start-up nslcd will not start."
That means disconnected reboots are NOT safe, because nslcd won't start on boot, and after the network returns, you'll have to login another way to start nslcd.
Mostly thinking of a case where there is a power interruption, and the host boots much faster than switchgear.