PAM modules
Jason Hellenthal
jhell at DataIX.net
Wed Sep 21 17:10:54 UTC 2011
On Wed, Sep 21, 2011 at 08:42:48AM -0500, Brooks Davis wrote:
> On Tue, Sep 20, 2011 at 05:21:03PM -0700, Xin LI wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > On 09/20/11 15:51, Kostik Belousov wrote:
> > [...]
> > > Yes, the question of maintanence of the OpenLDAP code in the base
> > > is not trivial by any means. I remember that openldap once broke
> > > the ABI on its stable-like branch.
> >
> > That happen a few times however these are either not essential client
> > library (libldap and liblber) API or it's not changing parameters or
> > removing interfaces. Moreover, like the base libbsdxml.so, it's only
> > intended to be used by base system only so it's relatively easier to
> > maintain ABI stability, e.g. we can probably just expose only symbols
> > that we use, etc.
> >
> > > Having API renamed during the import for the actively-developed
> > > third-party component is probably a stopper. I am aware of the
> > > rename done for ssh import in ssh_namespace.h, but I do not think
> > > such approach scale.
> >
> > That's right. We did use a similar approach but again, if it's just
> > libldap and liblber, the change would be quite slow over years. We do
> > need to patch files.
> >
> > > Would the import of openldap and nss + pam ldap modules in src/
> > > give any benefits over having openldap and ldap nss + pam modules
> > > on the dvd1 ?
> >
> > Well, for ldap nss + pam models, people usually want them to "just
> > work" rather than wanting new features provided by a port installed
> > OpenLDAP. That's said, the user expects he can update any port
> > without risking into being locked out from the system plus these
> > modules can be upgraded or updated with existing binary update mechanisms.
>
> This is certainly the largest benefit. I used a variant of pam_ldap for
> authentication at $WORK for many years and the instability of the
> OpenLDAP API was a constant headache.
>
> That isn't to say that importing it into base is the only possible
> solution. It is likely the most straightforward.
>
Base package system that comes pre-installed ? or just ships with the
discs ?
> -- Brooks
More information about the freebsd-security
mailing list