libpam-ldap and libnss-ldap in main.

Rick Clark rick.clark at
Wed Sep 19 22:52:29 BST 2007


I would like to request that libpam-ldap and libnss-ldap be included in main.  
I'm sorry this is coming at this late date, but after these packages received 
a thorough walloping by Ian[1][2], I requested a review from Kees. He only 
finished that review last week, when I was at vmworld.  My arguments for 
inclusion are as follows:

1 These packages are ubiquitous.  They are shipped with every major 
distribution and some commercial UNIX products.  In fact, Redhat has included 
this package for at least eight years.

2 These packages are required LDAP authentication.  LDAP authentication is 
used in almost all large commercial environments and is extremely popular 
smaller ones as well. 

3 This is being used by our users anyway, including many who pay for support 
contracts.  Any bug in these packages will affect us and will be seen as an 
Ubuntu issue whether we official support them or not.

4 The Support Team has requested that we officially support these packages.  
Customers are demanding it and are running it anyway.

5 Upstream is responsive.  I have discussed this issue with the upstream 
author, who admits that rewrite might be necessary.  He is more that willing 
to accept patches and already does so from Redhat and Novell.

6 Kees has taken a look at the code, and although he shares Ian's concerns, 
specifically concerning libpam-ldap, he considers the risk low and is fine 
with inclusion. (emails attached)

7 These packages are extremely well tested and have been used for nearly a 

While none of these arguments might be enough on their own, I believe combined 
they make a strong case that it is a low risk to support these packages, that 
not doing so is a disservice to a substantial number of our users, and 
hinders the adoption of Ubuntu in many environments.


Ubuntu Server Team

-------------- next part --------------
An embedded message was scrubbed...
From: Kees Cook <kees at>
Subject: lib{nss,pam}-ldap security review
Date: Mon, 10 Sep 2007 17:14:03 -0700
Size: 3719
-------------- next part --------------
An embedded message was scrubbed...
From: Kees Cook <kees at>
Subject: Re: lib{nss,pam}-ldap security review
Date: Tue, 18 Sep 2007 07:30:51 -0700
Size: 3193
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : 

More information about the ubuntu-devel mailing list