Comment 14 for bug 334374

Robie, thanks for commenting.

Note that the ldap-auth-config package does not preclude alternate forms of managing /etc/ldap.conf. It won't touch an existing config file, nor complain if the one it creates is modified. Also, while this package does not exist in Debian, the file is still created when libnss-ldap or libpam-ldap is installed---there is no expectation that the user will create this file (let alone *know* to create this particular file) from scratch.

The reason why I think a hard dependency is warranted is that if you install libnss-ldap without libpam-ldap, not only are you left with no config file for the former (i.e. /etc/ldap.conf), you could easily be misled into thinking that /etc/ldap/ldap.conf (from the libldap package) is relevant---especially as "man ldap.conf" refers to the latter. This is the scenario I encountered, and IMO it made clear why weakening the dependency on ldap-auth-config was the wrong way to go.

(Bug 1016592, and this one, would still be addressed by weakening the ldap-auth-config -> ldap-auth-client dependency instead.)

As far as Debian is concerned, I would strongly advocate for having ldap-auth-config (and perhaps ldap-auth-client and friends) paralleled there. Right now, you have duplicate logic in the libnss-ldap and libpam-ldap package postinst scripts; Ubuntu's approach essentially factors that out into a separate package. The only change I would make is downgrade the ldap-auth-config -> ldap-auth-client dependency to a Suggests (or nothing), to eliminate the cycle in the dependency graph.