[opensuse-factory] What's new in OpenLDAP
Hello fellow Factory users. There are some interesting progress going on with OpenLDAP package. Feature wise, OpenLDAP will soon be able to check password strength and enforce password strength policies that will comply with your IT needs, the feature comes in new package "ppolicy-check-module" and please read ppolicy-check-password.5 (https://build.opensuse.org/package/view_file/network:ldap/openldap2/ppolicy-...) if you are interested to find out more. Apart from the new feature, a decision had to be made to determine the appropriate package for file /etc/openldap/ldap.conf - a system-wide configuration file for all client applications that link against LDAP library. Here are the facts: - ldap.conf is a system-wide configuration file, shared by all client applications that link against LDAP library. - LDAP library will automatically load parameters from ldap.conf, but it will not complain if the file is missing or empty. - ldap.conf used to belong to openldap2-client package, which contains command line utilities for interacting with an LDAP server. However, since ldap.conf is made for more than the command line utilities, the file was moved into libldap to live with the library .so files. But there's an important decision to be made, and I would love to hear your opinion: should ldap.conf belong in libldap package at all? The argument against it says that in the future, if OpenLDAP upstream releases a new version and breaks backward-compatibility, AND if both new release and current release must be supported by openSUSE, the ldap.conf will become a file conflict between libldap-New-And-Incompatible and libldap-2.4 (current). At the same time, the arguments supporting placement of ldap.conf inside libldap cites the fact that libldap uses ldap.conf by contract and hence they should belong together. Moreover, OpenLDAP-New-And-Incompatible is nowhere to be seen at this momemt. So what do you think? Kind regards, Howard -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Howard Guo wrote:
There are some interesting progress going on with OpenLDAP package. Feature wise, OpenLDAP will soon be able to check password strength and enforce password strength policies that will comply with your IT needs, the feature comes in new package "ppolicy-check-module" and please read ppolicy-check-password.5 (https://build.opensuse.org/package/view_file/network:ldap/openldap2/ppolicy-...) if you are interested to find out more.
There are also two new packages. 1. openldap2-back-sock which can be used as backend or overlay to forward LDAP requests to an external demon via Unix Domain Socket (used in my OATH-LDAP implementation). 2. openldap2-contrib with a bunch of useful overlays which comes from OpenLDAP's source contrib/ tree: allop allowed Generates attributes indicating access rights autogroup cloak denyop lastbind writes last bind timestamp to entry noopsrch handles no-op search control nops pw-sha2 generates/validates SHA-2 password hashes pw-pbkdf2 generates/validates PBKDF2 password hashes smbk5pwd generates Samba3 password hashes (heimdal krb disabled) The pw-* overlays allow to use stronger password hashes and are interoperable with the stuff Howard mentioned above.
Apart from the new feature, a decision had to be made to determine the appropriate package for file /etc/openldap/ldap.conf - a system-wide configuration file for all client applications that link against LDAP library.
I'm ok with both approaches: 1. adding ldap.conf directly to libldap 2. having a separate package openldap2-client-config but have Requires: openldap2-client-config in all libldap packages (which would be also useful for the old compat-openldap-2.3 libs). Ciao, Michael.
On Tue, Feb 23, Howard Guo wrote:
- LDAP library will automatically load parameters from ldap.conf, but it will not complain if the file is missing or empty.
But there's an important decision to be made, and I would love to hear your opinion: should ldap.conf belong in libldap package at all?
If ldap works without a config file, why package /etc in the first place? Just look at the mess we created in /etc in the last 20 years. Whoever runs ldap will just create the file. Perhaps based on a template in %{defaultdocdir}. Olaf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Отправлено с iPhone
23 февр. 2016 г., в 17:42, Olaf Hering <olaf@aepfle.de> написал(а):
On Tue, Feb 23, Howard Guo wrote:
- LDAP library will automatically load parameters from ldap.conf, but it will not complain if the file is missing or empty.
But there's an important decision to be made, and I would love to hear your opinion: should ldap.conf belong in libldap package at all?
If ldap works without a config file, why package /etc in the first place? Just look at the mess we created in /etc in the last 20 years. Whoever runs ldap will just create the file. Perhaps based on a template in %{defaultdocdir}.
I agree. Just place (well commented) example in documentation of libldap.-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Andrei Borzenkov wrote:
Отправлено с iPhone
23 февр. 2016 г., в 17:42, Olaf Hering <olaf@aepfle.de> написал(а):
On Tue, Feb 23, Howard Guo wrote:
- LDAP library will automatically load parameters from ldap.conf, but it will not complain if the file is missing or empty.
But there's an important decision to be made, and I would love to hear your opinion: should ldap.conf belong in libldap package at all?
If ldap works without a config file, why package /etc in the first place? Just look at the mess we created in /etc in the last 20 years. Whoever runs ldap will just create the file. Perhaps based on a template in %{defaultdocdir}.
I agree. Just place (well commented) example in documentation of libldap.
You cannot tell whether "ldap works without a config file". There are LDAP-enabled applications without own LDAP configuration and which rely on an existing ldap.conf (in openSUSE package at /etc/openldap/ldap.conf). It's much easier to explain people to tweak an existing config file with the right pathname than to let them look somewhere for a template. Ciao, Michael.
On Tue, Feb 23, Michael Ströder wrote:
It's much easier to explain people to tweak an existing config file with the right pathname than to let them look somewhere for a template.
We invented YaST for them... Olaf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Olaf Hering [23.02.2016 16:11]:
On Tue, Feb 23, Michael Ströder wrote:
It's much easier to explain people to tweak an existing config file with the right pathname than to let them look somewhere for a template.
We invented YaST for them...
Great. Explaining users how to tweak an existing config file using a bazillion screenshots instead of simply showing them sample lines. Or a small video at YouTube. When you do not know about the content of ldap.conf, it might be very confusing to tell the users what must go there and what may go there. Just like modifying sssd.conf until the last patch came :-\ Werner --
Howard, On Tue, 2016-02-23 at 14:44 +0100, Howard Guo wrote:
Here are the facts: - ldap.conf is a system-wide configuration file, shared by all client applications that link against LDAP library. - LDAP library will automatically load parameters from ldap.conf, but it will not complain if the file is missing or empty. - ldap.conf used to belong to openldap2-client package, which contains command line utilities for interacting with an LDAP server. However, since ldap.conf is made for more than the command line utilities, the file was moved into libldap to live with the library .so files.
But there's an important decision to be made, and I would love to hear your opinion: should ldap.conf belong in libldap package at all?
The argument against it says that in the future, if OpenLDAP upstream releases a new version and breaks backward-compatibility, AND if both new release and current release must be supported by openSUSE, the ldap.conf will become a file conflict between libldap-New-And- Incompatible and libldap-2.4 (current).
The common approach here is to split the 'data' files away from the library (libFOO<N>) into a libfoo-data, which is then required like: Requires: liFOO-data >= %{version} This ensures that the NEWEST library get's to decide which -data file is to be pulled in. In most cases, the old one is there for legacy reasons, often because something has not (yet) been rebuilt. Breaking this to start with would cause troubles in a fast moving, rolling dist (it does not even need that we provide a compatibility pack, but a user updating that has any other package linked against the old lib would run into the issue) Dominique -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Thanks DimStar and all other response. So let's go with the convention and introduce libldap-data package! Any last minute objections? Kind regards, Howard On Tue, 23 Feb 2016, Dominique Leuenberger / DimStar wrote:
Howard,
On Tue, 2016-02-23 at 14:44 +0100, Howard Guo wrote:
Here are the facts: - ldap.conf is a system-wide configuration file, shared by all client applications that link against LDAP library. - LDAP library will automatically load parameters from ldap.conf, but it will not complain if the file is missing or empty. - ldap.conf used to belong to openldap2-client package, which contains command line utilities for interacting with an LDAP server. However, since ldap.conf is made for more than the command line utilities, the file was moved into libldap to live with the library .so files.
But there's an important decision to be made, and I would love to hear your opinion: should ldap.conf belong in libldap package at all?
The argument against it says that in the future, if OpenLDAP upstream releases a new version and breaks backward-compatibility, AND if both new release and current release must be supported by openSUSE, the ldap.conf will become a file conflict between libldap-New-And- Incompatible and libldap-2.4 (current).
The common approach here is to split the 'data' files away from the library (libFOO<N>) into a libfoo-data, which is then required like: Requires: liFOO-data >= %{version}
This ensures that the NEWEST library get's to decide which -data file is to be pulled in. In most cases, the old one is there for legacy reasons, often because something has not (yet) been rebuilt. Breaking this to start with would cause troubles in a fast moving, rolling dist (it does not even need that we provide a compatibility pack, but a user updating that has any other package linked against the old lib would run into the issue)
Dominique
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, Feb 25, Howard Guo wrote:
Any last minute objections?
No objection. But if files marked as %config move from one pkg to another make sure existing content is properly migrated at install time. Olaf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (6)
-
Andrei Borzenkov -
Dominique Leuenberger / DimStar -
Howard Guo -
Michael Ströder -
Olaf Hering -
Werner Flamme