Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 889296 - sys-auth/nss_ldap: removal in favour of sys-auth/nss-pam-ldapd?
Summary: sys-auth/nss_ldap: removal in favour of sys-auth/nss-pam-ldapd?
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo LDAP project
URL:
Whiteboard:
Keywords:
Depends on: 889292 889294
Blocks:
  Show dependency tree
 
Reported: 2023-01-01 17:34 UTC by Sam James
Modified: 2024-06-30 18:09 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-01-01 17:34:13 UTC
nss-ldap is extremely brittle and has various serious bugs, like bug 581306.

Let's try replace it with sys-auth/nss-pam-ldapd.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2023-01-01 19:49:40 UTC
I don't object to the overall proposal, but it's NOT a drop-in replacement. We'll need lots of news to users about it.

https://arthurdejong.org/nss-pam-ldapd/README

====
unsupported features
--------------------

Since nss-pam-ldapd was forked from nss_ldap most of the features that came
with nss_ldap are available. The most important differences:
- the configuration file formats are not fully compatible
...
Some things work a little different in nss-pam-ldapd. For instance the
attribute defaults and overrides of nss_ldap are implemented with mapping
expressions and pam_ldap's pam_check_*_attr options can be implemented with
the pam_authz_search option.

====

It will definetly take some porting for all users switching.

Consider this from the infra config:
===
pam_filter           &(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active)
nss_base_passwd      ou=devs,dc=gentoo,dc=org?sub?&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active)
nss_base_shadow      ou=devs,dc=gentoo,dc=org?sub?&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active)
nss_base_group       ou=groups,dc=gentoo,dc=org?one?&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org)

===


I don't see a fast 1:1 mapping of those into the nslcd.conf.

Also, I found this buried comment that outright scares me:
https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5
"If the LDAP server is unavailable during start-up nslcd will not start."
That means disconnected reboots are NOT safe, because nslcd won't start on boot, and after the network returns, you'll have to login another way to start nslcd.
Mostly thinking of a case where there is a power interruption, and the host boots much faster than switchgear.
Comment 2 Christopher Byrne 2024-06-30 18:09:21 UTC
The above "If the LDAP server is unavailable during start-up nslcd will not start." only applies if "base" is not set and nslcd has to probe, otherwise, it does start up and stays up even if the server is inaccessible.

As far as translating the above, I think it would look like this:

base dc=gentoo,dc=org

base passwd ou=devs,dc=gentoo,dc=org
scope passwd subtree
filter passwd (&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active))

base shadow ou=devs,dc=gentoo,dc=org
scope shadow subtree
filter shadow (&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))(gentooStatus=active))

base group ou=groups,dc=gentoo,dc=org
scope group one
filter group (&(|(gentooAccess=woodpecker.gentoo.org)(gentooAccess=dev.gentoo.org))

I think the pam_filter option is obsolete, the above statements should replace and it can be dropped with nss-pam-nslcd. I tested the configuration and filter for syntactical correctness, but of course I cannot test beyond that.