[Bug 226119] Feature request: Add ldap data source for the NSS netgroup database
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Feb 22 14:38:37 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226119
Bug ID: 226119
Summary: Feature request: Add ldap data source for the NSS
netgroup database
Product: Base System
Version: 11.0-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: freebsd-bugs at FreeBSD.org
Reporter: vmiller at verisign.com
The nsswitch.conf man page describes the sources that are currently implemented
for NSS which exclude LDAP. An LDAP data source will enable FreeBSD clients to
more easily integrate with central user/account management frameworks like
FreeIPA & sssd.
As an illustration of problems that would be mitigated with the implementation
of an ldap data source consider that a centralized user accounting and
management system, particularly FreeIPA, sudo queries the data source (sss)
returning netgroups which sudo responds to by subsequently calling innetgr().
When called, innetgr() loads and iterates over /etc/netgroup looking for
matching entries. As netgroup grows in size, so does the amount of time
required to iterate it. For example, my tests using a ~1.5MB file consisting of
~31,000 entries took 30 seconds to return a password prompt as it traversed
netgroup to insure the invoking user was permitted to.
The following references describe FreeBSD deployment within a FreeIPA/sssd
framework and illustrate that multiple users are deploying FreeBSD in such a
configuration.
https://blog.hostileadmin.com/2016/03/24/integrating-freebsd-w-freeipasssd/
https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list