[HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch and
more (SoC)
Brooks Davis
brooks at one-eyed-alien.net
Wed Aug 23 20:55:29 UTC 2006
On Wed, Aug 23, 2006 at 01:33:01PM -0700, Doug Barton wrote:
> Michael Bushkov wrote:
> > Hi,
> > First, thanks to all FreeBSD people and to Google for the great summer!
> > As the SoC deadline has almost arrived, I'm glad to post most of this
> > summer's work results.
>
> Congratulations on your success with this project!
>
> > OpenLDAP + rewritten-from-scratch nss_ldap + nsswitch with separate
> > shared nss-modules patch.
> > To have
> > it in the tree, OpenLDAP was also needed to be placed in the tree.
>
> Here is where (once again) we have a difference of opinion. I still believe
> strongly that the nss_ldap part of your work should be a port, with a
> dependency on the openldap in ports. I've stated my reasoning on this in the
> previous thread, so I won't rehash it here unless someone asks. I would like
> to point out though that I feel the numerous problems raised in this thread
> give even more weight to the request that I, and others made not to have it
> incorporated into the base.
>
> This in no way is meant to indicate that your work has no value, or is
> somehow "less valuable" than work that is actually in the base. It is simply
> a realistic reflection of the fact that this facility will be needed by a
> small percentage of FreeBSD users, and the difficulties (costs) outweigh the
> corresponding benefit.
I disagree. Having authentication functions outside the base makes them
more vulnerable to configuration problems and general library cross
threading. It also means they can't work out of the box. I think the
costs are likely fairly small (no worse than those associated with
OpenSSL) and the benefits are substantial. I suspect you are correct
that a large portion of FreeBSD users don't need LDAP authentication,
but I believe our long-term future depends in part on attracting the
types of institutional users who do need it. I think we need to get to
the point where we can authenticate against LDAPish systems such as
Active Directory without substantially more configuration then is
currently required for nis. Currently joining the NIS/NFS cluster in
our department requires adding the following lines to /etc/rc.conf and
copying over our standard amd.conf:
nisdomainname="XXX"
nis_client_enable="YES"
amd_enable="YES"
amd_flags=""
nfs_client_enable="YES"
That's it and that's where we need to be with regard to modern LDAP
based directory services if we want people with central authentication
and authorization system to take us seriously.
Personally, I'd like to see at least some of the command line client
tools imported as well and the ldap libraries.
-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20060823/34dafc6b/attachment.pgp
More information about the freebsd-current
mailing list