Bug 553857 - Review Request - pam_ldap (for an nss_ldap/pam_ldap split)
Summary: Review Request - pam_ldap (for an nss_ldap/pam_ldap split)
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Stephen Gallagher
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 103568 555121
TreeView+ depends on / blocked
 
Reported: 2010-01-09 05:01 UTC by Nalin Dahyabhai
Modified: 2010-03-25 23:05 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-25 23:05:23 UTC
nalin: fedora_requires_release_note?
sgallagh: fedora-review+
kevin: fedora-cvs+


Attachments (Terms of Use)

Description Nalin Dahyabhai 2010-01-09 05:01:43 UTC
The pam_ldap module's been in the nss_ldap package for *years*, despite being a different upstream project with its own web site and version numbering.  Having them in there together makes it harder to try alternate implementations of one or the other.

Spec URL: http://nalin.fedorapeople.org/pam_ldap.spec
SRPM URL: http://nalin.fedorapeople.org/pam_ldap-185-1.src.rpm
Spec URL: http://nalin.fedorapeople.org/nss_ldap.spec
SRPM URL: http://nalin.fedorapeople.org/nss_ldap-265-1.src.rpm

Comment 1 Nalin Dahyabhai 2010-01-11 22:18:12 UTC
CCing Tomas, the authconfig maintainer, because this split also changes the names of the configuration files (nss_ldap will read nss_ldap.conf and optionally nss_ldap.secret; pam_ldap will read pam_ldap.conf and optionally pam_ldap.secret).

Comment 2 Tomas Mraz 2010-01-12 07:40:30 UTC
Is having separate configuration for pam_ldap and nss_ldap really a good idea? It creates unnecessary hassle for the sysadmins and in 99% of configurations involving both of these packages the contents of the configuration files will be the same. I suggest adding a subpackage (either to pam_ldap or nss_ldap - choose package which you think will be used in more cases) named for example ldap-config which would contain just the ldap.conf and ldap.secret files. The nss_ldap and pam_ldap packages can then require this package.

Comment 3 Nalin Dahyabhai 2010-01-12 18:40:04 UTC
(In reply to comment #2)
> Is having separate configuration for pam_ldap and nss_ldap really a good idea?
> It creates unnecessary hassle for the sysadmins and in 99% of configurations
> involving both of these packages the contents of the configuration files will
> be the same. I suggest adding a subpackage (either to pam_ldap or nss_ldap -
> choose package which you think will be used in more cases) named for example
> ldap-config which would contain just the ldap.conf and ldap.secret files. The
> nss_ldap and pam_ldap packages can then require this package.    

The upstream tarballs actually ship default configuration files with different contents.  There's nothing stopping an admin from linking the two.

Meanwhile, moving the ldap.conf file from one package to the other during an upgrade requires stepping around RPM's built-in handling of %config files, and probably needs to involve triggers -- I just don't want to go there.

I'm also wary of people continuing to incorrectly assume that /etc/ldap.conf is some global everything-should-read-this-file-for-ldap-settings file, which it was never supposed to be.

Comment 5 Stephen Gallagher 2010-03-23 16:59:01 UTC
None of the rpmlint warnings/errors are of concern.

rpmlint output:
pam_ldap.src: W: spelling-error %description -l en_US pam -> map, Pam, pan
pam_ldap.src: W: spelling-error %description -l en_US ldap -> lap, leap, adapt
pam_ldap.src: W: spelling-error %description -l en_US crypted -> crypt ed, crypt-ed, encrypted
pam_ldap.x86_64: W: spelling-error %description -l en_US pam -> map, Pam, pan
pam_ldap.x86_64: W: spelling-error %description -l en_US ldap -> lap, leap, adapt
pam_ldap.x86_64: W: spelling-error %description -l en_US crypted -> crypt ed, crypt-ed, encrypted
pam_ldap.x86_64: E: zero-length /usr/share/doc/pam_ldap-185/NEWS
pam_ldap.x86_64: E: non-readable /etc/pam_ldap.secret 0600
pam_ldap.x86_64: W: dangerous-command-in-%pre cp
pam_ldap.x86_64: W: dangerous-command-in-%post mv
pam_ldap-debuginfo.x86_64: W: spelling-error Summary(en_US) pam -> map, Pam, pan
pam_ldap-debuginfo.x86_64: W: spelling-error Summary(en_US) ldap -> lap, leap, adapt
pam_ldap-debuginfo.x86_64: W: spelling-error %description -l en_US pam -> map, Pam, pan
pam_ldap-debuginfo.x86_64: W: spelling-error %description -l en_US ldap -> lap, leap, adapt
3 packages and 0 specfiles checked; 2 errors, 12 warnings.


MUST: A package must own all directories that it creates. If it does not create a directory that it uses, then it should require a package which does create that directory. [13]
This package uses /%{_usr}/security but does not have 'Requires: pam'

Comment 6 Nalin Dahyabhai 2010-03-23 17:11:11 UTC
(In reply to comment #5)
> MUST: A package must own all directories that it creates. If it does not create
> a directory that it uses, then it should require a package which does create
> that directory. [13]
> This package uses /%{_usr}/security but does not have 'Requires: pam'    

Adding an explicit requirement on "pam" to these candidates:
http://nalin.fedorapeople.org/pam_ldap.spec
http://nalin.fedorapeople.org/pam_ldap-185-5.src.rpm

Comment 7 Stephen Gallagher 2010-03-23 17:18:33 UTC
With that final change, this review request is approved.

Comment 8 Nalin Dahyabhai 2010-03-23 17:24:38 UTC
New Package CVS Request
=======================
Package Name: pam_ldap
Short Description: PAM module for LDAP
Owners: nalin@redhat.com
Branches: devel
InitialCC:

Comment 9 Kevin Fenzi 2010-03-24 03:23:05 UTC
CVS done (by process-cvs-requests.py).
(please use fedora account system name in Owners, not email address)

Comment 10 Nalin Dahyabhai 2010-03-25 23:05:23 UTC
Built pam_ldap-185-5.fc14.  Thanks, everyone!


Note You need to log in before you can comment on or make changes to this bug.