PAM modules
Benjamin Kaduk
kaduk at MIT.EDU
Fri Sep 23 02:34:48 UTC 2011
On Tue, 20 Sep 2011, Xin LI wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 09/20/11 15:51, Kostik Belousov wrote:
> [...]
>> Yes, the question of maintanence of the OpenLDAP code in the base
>> is not trivial by any means. I remember that openldap once broke
>> the ABI on its stable-like branch.
>
> That happen a few times however these are either not essential client
> library (libldap and liblber) API or it's not changing parameters or
> removing interfaces. Moreover, like the base libbsdxml.so, it's only
> intended to be used by base system only so it's relatively easier to
> maintain ABI stability, e.g. we can probably just expose only symbols
> that we use, etc.
This is not without its own failures. For example, I sometimes find
myself wanting a kgetcred(1) from heimdal, but we do not build it as part
of our base heimdal. As a separate utility, this is not so bad; for a
library, things can get much more annoying.
Only exposing a limited set of symbols can make third-party tools that
want extra symbols very sad, unless it is easy to drop in a full version
from ports and still have all of base "just work". I do not quite think
that the current state of ports for ldap would "just work" without some
extra configuration (though, nor have I tried something like it).
-Ben Kaduk
More information about the freebsd-security
mailing list