FreeBSD nss, getgroupmembership(3)
Frode Nordahl
frode at nordahl.net
Mon Jul 17 11:58:57 UTC 2006
On 28. mai. 2006, at 19.32, Matthijs Kooijman wrote:
> I've been playing around with this issue myself as well. I want to
> support
> nested groups through winbind, which is supported through
> winbind_getgrouplist, but not through getgrent...
Great to see some more interest in it! :-)
I am about to go live with a system with a significant number of
users ( > 1 million), and have just disabled group lookups for now.
>> By coincidence I found that NetBSD has created the infrastructure
>> needed to make this a reallity allready! In NetBSD getgrouplist(3) is
>> now a front-end for getgroupmembership(3).
> I just found this one too. I'm not sure how widespread the
> implementation of
> getgroupmembership is, though. I know nss_winbind does not
> implement it, but
> does implement initgroups_dyn. From your post I think nss_ldap does
> this also.
Most NSS modules come from Linux / GLIBC, and thus match their
implementations. Since this does not exist in FreeBSD yet, I would
first look to the other BSDs and try to match their implementation.
Since FreeBSD's nss comes from NetBSD I think it is pretty obvious
that we want to import new features from them, and not from GNU
Libc. :-)
However, NSS is a large beast reaching into many central parts of
libc, and great care must be taken to not break anything when
importing new code.
Last I looked it seemed like NetBSD's NSS code had moved along quit a
bit, and I don't know if it is common practice to backport specific
functionality, or to just do a new import?
>> Is there any chance for FreeBSD to get an updated import of NSS from
>> NetBSD anytime soon? :-)
> Due to the (possibly) limited support of getgroupmembership in nss
> backends,
> it might be better to use initgroups_dyn instead?
No, I would rather let BSD NSS be BSD NSS and implement a compability
layer for initgroups_dyn :-)
See /usr/src/lib/libc/net/nss_compat.c and bsdnss.c in nectar's
nss_ldap port.
> Anyway, I've spent some words on this issue on my blog [1], if anyones
> interested. I'm planning on trying to make this work on FreeBSD
> sometime soon.
> But, since I only have FreeBSD 6.0 machines to play around with
> (possibly 6.1
> soon), I will probably code up a patch for 6.0. Have there been big
> changes to
> nss since then that might make this a useless idea?
New code should generally be patches againts -CURRENT, but I don't
think this is a part of the source tree that is changed very often.
I would at least have a look at the files you plan on changing from -
CURRENT so you can know that the world as you know it is not about to
be changed / replaced :)
Frode Nordahl
frode at nordahl.net
More information about the freebsd-current
mailing list