PAM modules

Brooks Davis brooks at freebsd.org
Wed Sep 21 14:14:18 UTC 2011 

On Tue, Sep 20, 2011 at 05:21:03PM -0700, Xin LI wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On 09/20/11 15:51, Kostik Belousov wrote:
> [...]
> > Yes, the question of maintanence of the OpenLDAP code in the base 
> > is not trivial by any means. I remember that openldap once broke 
> > the ABI on its stable-like branch.
> 
> That happen a few times however these are either not essential client
> library (libldap and liblber) API or it's not changing parameters or
> removing interfaces.  Moreover, like the base libbsdxml.so, it's only
> intended to be used by base system only so it's relatively easier to
> maintain ABI stability, e.g. we can probably just expose only symbols
> that we use, etc.
> 
> > Having API renamed during the import for the actively-developed
> > third-party component is probably a stopper. I am aware of the
> > rename done for ssh import in ssh_namespace.h, but I do not think
> > such approach scale.
> 
> That's right.  We did use a similar approach but again, if it's just
> libldap and liblber, the change would be quite slow over years.  We do
> need to patch files.
> 
> > Would the import of openldap and nss + pam ldap modules in src/
> > give any benefits over having openldap and ldap nss + pam modules
> > on the dvd1 ?
> 
> Well, for ldap nss + pam models, people usually want them to "just
> work" rather than wanting new features provided by a port installed
> OpenLDAP.  That's said, the user expects he can update any port
> without risking into being locked out from the system plus these
> modules can be upgraded or updated with existing binary update mechanisms.

This is certainly the largest benefit.  I used a variant of pam_ldap for
authentication at $WORK for many years and the instability of the
OpenLDAP API was a constant headache.

That isn't to say that importing it into base is the only possible
solution.  It is likely the most straightforward.

-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110921/0aa63995/attachment.pgp

More information about the freebsd-security mailing list