I'm running ZCS 4.5.10 NE on RHEL 4.6 64-bit, with /etc/pam.d/system-auth configured to authenticate with pam_ldap as is the standard here.
pam_ldap in turn links to libsasl, and thanks to /etc/ld.so.conf.d/zimbra.ld.conf, sshd eventually ends up linking to stuff in /opt/zimbra/cyrus-sasl-220.127.116.11/lib
This just happens to work, but it has side effects. For example, in a clustered/SAN environment, if I needed to unmount /opt/zimbra, I couldn't.
Create /etc/sysconfig/sshd, containing
This might also be needed for other daemons. For example, I run sendmail with DAEMON=no so that cron mail has someplace to go. (If you follow the Zimbra installation instructions and never start sendmail at all, then a lot of stuff will get stuck in /var/spool/clientmqueue.)
Potentially inadequate because:
There might be stuff in /etc/ld.so.conf.d that we actually want. For example, if you happen to be running Zimbra as a Xen domU, then you probably want the kernelcap bits (hwcap 0 nosegneg).
There is some talk in bugzilla about building Zimbra binaries statically and/or with -R/-Wl linker hints. But this doesn't seem to have made it to 5.0RC2.
What's the expected state of ld.so.conf/LD_LIBRARY_PATH workarounds for 5.0GA? If you're still going to be messing with the system library path, are you prepared to tell RedHat users not to use pam_ldap?