[Pkg-openldap-devel] Bug#545414: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Arthur de Jong
adejong at debian.org
Fri Dec 10 14:31:48 UTC 2010
On Fri, 2010-12-10 at 11:42 +0800, David Adam wrote:
> libnss-ldapd should be used to replace libnss-ldap on squeeze upgrades. I
> am still a touch wary of libnss-ldapd, only in that adding the daemon
> introduces an additional point of failure, but have been running it on
> our Ubuntu and squeeze systems with zero problems.
I agree that adding an extra interface opens a possibility for problems
but it also allows for better separation. If the daemon is not running
more things could go wrong and I welcome improvements for that (e.g.
possibly starting earlier during the boot sequence and poll the LDAP
server until it is available or improved availability during upgrades).
On the other hand its operation is much simpler than with nss_ldap
because the daemon can hold some state as to whether the LDAP server is
available or not and failure when the LDAP server is unavailable is much
faster (will not hang the whole system).
Also, the daemon always runs as an unprivileged user and security of the
LDAP authentication credentials (bind password) is much more robust.
There are some differences between nss_ldap on one end and nss-pam-ldapd
on the other. nss-pam-ldapd does not currently support nested groups and
has less features in the password changing operation so it's not a
drop-in replacement for all configurations (yet).
I've also been using it without problems. There are some issues when
using Microsoft Active Directory (memory leak when chasing referrals and
a problem in the timeout handling) but I've personally had less issues
with nss-ldapd than with nss_ldap.
I don't know if it's possible (or wise) to automatically upgrade from
libnss-ldap to libnss-ldapd on a lenny->sqeeze upgrade but for people
who switch it should already be quite smooth (configuration is migrated
automatically in most cases).
If no-one thinks it is a bad idea I can change the earlier text to be a
recommendation to switch to nss-pam-ldapd instead of a proposed
workaround.
--
-- arthur - adejong at debian.org - http://people.debian.org/~adejong --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20101210/c94296d0/attachment.pgp>
More information about the Pkg-openldap-devel
mailing list