Cristian Rodríguez said the following on 10/23/2008 12:00 PM:
Ruben Safir escribió:
I can't remove openldap, sasl
Used for system authentication methods.
Should read "LDAP can be used for identification & authentication. This requires setting up an LDAP database." If you don't have a a database you just use 'files' such as /etc/passwd, or YP/NIS. See /etc/nsswitch. If you don't run such a database and none of your facilities need to contact such a database .... PAM and such like are 'pluggable'. If you don't include a library in the config then its presence isn't needed. The idea is that someone might come up with a 'pam_eyeball' biometric inn place of a password and that can be plugged in. Its current absence shouldn't be a problem since it isn't in the config. If ldap isn't in the config then it shouldn't be needed. Yes, I understand that tools like 'ls' need to map from the numeric id to the human readable name. See "libacl" --> getpwnam(3) and the use of /etc/nsswitch.conf. Yes if there is a like such as passwd; ldap files I could see that ldap is needed. But if the 'ldap' isn't there? http://quark.humbug.org.au/publications/ldap/system_auth/sage-au/system_auth... http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/s1-ldap-pa... Once again we have the conflict between the needs of an enterprise system with full server support and and IT staff in place, and a simple "user" on a laptop or similar that doesn't have all that infrastructure behind him (or her). PAM is most certainly pluggable. As far as I can tell While my syslog files have things like kdeinit4: nss_ldap: could not search LDAP server - Server is unavailable automount[2813]: bind_ldap_anonymous: lookup(ldap): Unable to bind to the LDAP server: (default), error Can't contact LDAP server (the latter despite there being no ldap in my /etc/nsswitch.conf!) I don't see any corresponding entries for NIS/YP. "Obviously" the NIX/YP lookup has been implemented correctly so that ypbind and ypserv are not dependencies. But 'ldap' is. As far as I can make out it is because there are entries in /etc/pam.d that make ldap 'required' for all common operations. This doesn't make sense. Yes, I can see where this requires ldap for consistency, but why, why, why is ldap configured as a requirement in /etc/pam.d ? What we have is something that Carlos and others are pointing out is a "user" distribution whcih is half - but only half - preconfigired for an 'enterprise'. Simply deleting 'ldap-client' and the ldap libraries on a stand alone single user system such as a laptop or netbook, or for that matter a SOHO or SMB system that doesn't use ldap, will, yes, "break things". You will need to remove the ldap dependency from the entries in /etc/pam.d/* I very strongly suggest that unless openSUSE 11.x (x>0) is going to be positioned as an 'enterprise' product and have installaton/configuration support to match, that the ldap depencey via the /etc/pam.d files be removed. Smaller footprint, fewer messages to syslog. Interestingly enough, I can remove the modl 'pam_ldap' and yast doesn't complain about dependencies, so obviously there is some inconsistency - if 'pam_ldap' is configured into /etc/pam.d then there should be a dependency. -- "Most victories came from instantly exploiting your enemy's stupid mistakes, and not from any particular brilliance in your own plan." -- Orson Scott Card, -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org