PAM modules
Lev Serebryakov
lev at FreeBSD.org
Tue Sep 20 22:43:52 UTC 2011
Hello, Xin.
You wrote 21 сентября 2011 г., 2:34:09:
> That's true but is there any very compelling reason to do that (not
> say no if someone really want to invest time on this and maintain it)
> instead of just using an actively maintained codebase? The OpenLDAP
> license is pretty similar to a BSD license:
My point is not a license. I don't know, what is simpler:
(a) strip-down and rename API for OpenLDAP and later import new releases,
with new strip-downs and renames (IMHO, it is harder, than import and
support almost-intact code, like sendmail or bind),
or
(b) maintain local code, most of which is auto-generated from standard
by very mature and stable tool, as Lev's asn1c is. I know Lev
personally, and he says, that this tool is used by many Telco
operators and other Big Companies and he is not aware about any
outstanding bugs (from year 2007!) even when very complex (much more
complex than LDAPv3) ASN.1 rules are processed. Sometimes he is
contacted for support, but always it is not bugs in compiler, but some
other problems.
Maybe, import and maintaining of hacked OpenLDAP is simpler in
long-standing perspective. Maybe not. I only want to point, that if we
want our own LDAP client library, we don't need to write tons of
non-obvious, error-prone and security-sensitive code by hands.
--
// Black Lion AKA Lev Serebryakov <lev at FreeBSD.org>
More information about the freebsd-security
mailing list