PAM modules

[Xin LI]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 09/21/11 10:10, Jason Hellenthal wrote:
> 
> 
> On Wed, Sep 21, 2011 at 08:42:48AM -0500, Brooks Davis wrote:
>> On Tue, Sep 20, 2011 at 05:21:03PM -0700, Xin LI wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>> 
>>> On 09/20/11 15:51, Kostik Belousov wrote: [...]
>>>> Yes, the question of maintanence of the OpenLDAP code in the
>>>> base is not trivial by any means. I remember that openldap
>>>> once broke the ABI on its stable-like branch.
>>> 
>>> That happen a few times however these are either not essential
>>> client library (libldap and liblber) API or it's not changing
>>> parameters or removing interfaces.  Moreover, like the base
>>> libbsdxml.so, it's only intended to be used by base system only
>>> so it's relatively easier to maintain ABI stability, e.g. we
>>> can probably just expose only symbols that we use, etc.
>>> 
>>>> Having API renamed during the import for the
>>>> actively-developed third-party component is probably a
>>>> stopper. I am aware of the rename done for ssh import in
>>>> ssh_namespace.h, but I do not think such approach scale.
>>> 
>>> That's right.  We did use a similar approach but again, if it's
>>> just libldap and liblber, the change would be quite slow over
>>> years.  We do need to patch files.
>>> 
>>>> Would the import of openldap and nss + pam ldap modules in
>>>> src/ give any benefits over having openldap and ldap nss +
>>>> pam modules on the dvd1 ?
>>> 
>>> Well, for ldap nss + pam models, people usually want them to
>>> "just work" rather than wanting new features provided by a port
>>> installed OpenLDAP.  That's said, the user expects he can
>>> update any port without risking into being locked out from the
>>> system plus these modules can be upgraded or updated with
>>> existing binary update mechanisms.
>> 
>> This is certainly the largest benefit.  I used a variant of
>> pam_ldap for authentication at $WORK for many years and the
>> instability of the OpenLDAP API was a constant headache.
>> 
>> That isn't to say that importing it into base is the only
>> possible solution.  It is likely the most straightforward.
>> 
> 
> Base package system that comes pre-installed ? or just ships with
> the discs ?

Well first and most important, someone will need to implement that,
but to be more specific there are a lot of issues that needs to be
solved like:

 - How to update your system?  LPK patchset for instance needs to be a
part of OpenSSH (not a loadable module) so we end up with a modified
sshd binary.  "make installworld" need to know and don't patch it;
 - How to patch your system?  A mechanism like freebsd-update needs to
be implemented for these essential security services;
 - How to update these "base packages"?  There need to be a way that
is no harder than 'make installworld' in my opinion.

That's said, all these are not impossible without direct base system
integration, but integration is the most straightforward way at this
moment.

Cheers,
- -- 
Xin LI <delphij at delphij.net>	https://www.delphij.net/
FreeBSD - The Power to Serve!		Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iQEcBAEBCAAGBQJOeiCgAAoJEATO+BI/yjfB0gUH/2Sv52kW8GEACIisgkA+qfcS
eVjViqR5f4JE8JmSEnblHX5RWw96MEi9rsdgHiHFAmBed4CxG/SLr4Xjc5Ozv9EV
0zwThyAan5V0AuJjvAd9/pO/FkilzlQG4N2+wrzjB46FdH8YpBLcV57eSKUVpHO1
SA2t27qTC5Mo6ysQUutwQV00ujEtXL1KtsXl6iJLPKuKe9wdeJNBXQ3lkeCOsG/H
nBCPsAbb17H+RseSePCXTox4za5hLHCD2wsaqtydD08WO1bUf4hhYkQoy0IZ+q4z
DteS4qtDYzpoP5sbX/iY5vkXGHglOWpZzWcsfuHR5ZgIaXeEuk47UDHf0H632BE=
=BuI/
-----END PGP SIGNATURE-----