-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-ID: <alpine.LSU.2.00.0810240216170.23001@nimrodel.valinor> On Thursday, 2008-10-23 at 20:07 -0400, Anton Aylward wrote:
Cristian Rodríguez said the following on 10/23/2008 12:00 PM:
Ruben Safir escribió:
I can't remove openldap, sasl
Used for system authentication methods.
Should read "LDAP can be used for identification & authentication. This requires setting up an LDAP database." ...
PAM and such like are 'pluggable'. If you don't include a library in the config then its presence isn't needed. The idea is that someone might come up with a 'pam_eyeball' biometric inn place of a password and that can be plugged in. Its current absence shouldn't be a problem since it isn't in the config. If ldap isn't in the config then it shouldn't be needed.
Yes, I see your point.
Yes, I understand that tools like 'ls' need to map from the numeric id to the human readable name. See "libacl" --> getpwnam(3) and the use of /etc/nsswitch.conf. Yes if there is a like such as
passwd; ldap files
I could see that ldap is needed. But if the 'ldap' isn't there?
Maybe the client part is a requirement, and the server part is not. I don't know if both are pulled it as requirements. Let me see... [thinking] ldap will be needed when an optional configuration is included in pam telling it to use ldap. I can see a problem when the ldap libraries are not included, and the user, well, the admin, changes pam configuration and forgets to install ldap. Therefore, it is pulled in as an rpm dependency. I'm guessing, I don't know pam or ldap in detail.
Once again we have the conflict between the needs of an enterprise system with full server support and and IT staff in place, and a simple "user" on a laptop or similar that doesn't have all that infrastructure behind him (or her).
I know of small places that use ldap, even at home.
PAM is most certainly pluggable. As far as I can tell
While my syslog files have things like
kdeinit4: nss_ldap: could not search LDAP server - Server is unavailable automount[2813]: bind_ldap_anonymous: lookup(ldap): Unable to bind to the LDAP server: (default), error Can't contact LDAP server
(the latter despite there being no ldap in my /etc/nsswitch.conf!)
I don't see that error in my logs (and I don't run ldap). You must have some configuration somewhere that makes it think it should contact an ldap server; in kde4 (I seldom use kde) and in automount.
I don't see any corresponding entries for NIS/YP. "Obviously" the NIX/YP lookup has been implemented correctly so that ypbind and ypserv are not dependencies.
But 'ldap' is.
As far as I can make out it is because there are entries in /etc/pam.d that make ldap 'required' for all common operations.
I believe that my config does not have such entries. It is only mentioned in the comentary of "common-auth*": # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth required pam_env.so auth required pam_unix2.so
This doesn't make sense. Yes, I can see where this requires ldap for consistency, but why, why, why is ldap configured as a requirement in /etc/pam.d ?
What we have is something that Carlos and others are pointing out is a "user" distribution whcih is half - but only half - preconfigired for an 'enterprise'.
Simply deleting 'ldap-client' and the ldap libraries on a stand alone single user system such as a laptop or netbook, or for that matter a SOHO or SMB system that doesn't use ldap, will, yes, "break things". You will need to remove the ldap dependency from the entries in /etc/pam.d/*
I'm afraid that simply removing the lines will not affect dependencies. Dependencies are rpms needing (saying the need) another rpms. I think that, in order to remove the ldap rpms correctly you also need to remove the pam modules that use ldap. Perhaps somebody knows how to do this, but after the tone that Mr Ruben Safir is inflicting on the thread, this will develop onto a useless flamewar and you will get few technical responses from the people who may know an answer. Sorry :-( I'm changing the subject line, in the hope of attracting someone who knows more :-)
I very strongly suggest that unless openSUSE 11.x (x>0) is going to be positioned as an 'enterprise' product and have installaton/configuration support to match, that the ldap depencey via the /etc/pam.d files be removed. Smaller footprint, fewer messages to syslog.
I don't have any ldap messsages in my log, going back a year.
Interestingly enough, I can remove the modl 'pam_ldap' and yast doesn't complain about dependencies, so obviously there is some inconsistency - if 'pam_ldap' is configured into /etc/pam.d then there should be a dependency.
You have to uninstall pam_ldap...rpm. I have just tried that in Yast and it doesn't complain (I aborted, I didn't let it do it). But rememember that dependencies do not rely on config files. Try removing (in yast package manager): pam_ldap...rpm yast2-ldap*rpm I just saw a description there for yast2-autofs: yast2-autofs - YaST2 - Module to Create and Manage autofs Entries in LDAP so that module will pull in ldap, too. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkkBHssACgkQtTMYHG2NR9WjfACcCbRa/0XARnSKDdLbXQq+MQcY yBUAn1tsgXKF0oW3EF4NRqFijg5/ZiE6 =IOW0 -----END PGP SIGNATURE-----