PAM modules -> LDAP!

[Benjamin Kaduk]

On Sat, 24 Sep 2011, Ryan Steinmetz wrote:

>
> I think an interesting concept would be something that gave us the
> ability to (easily) tie certain ports into software from the base system.
> Something that would allow the software to be more easily kept current.
> Perhaps this could be done via some sort of base-integrated ports
> category that require extra-special care/controls when being updated.

I would very much love a way to tie certain ports into the base system, by 
which I mean have the base system utilities link against libraries 
provided by a port.  (My particular example at hand would be to link ssh 
and friends against MIT kerberos from ports, but there are a goodly number 
of other examples.)  Yet, in order for the benefits of ports to work, 
there would need to be a way to hook into the base system to get these 
utilities updated with port updates, and probably a way to disable the 
base system version of the libraries but still have utilities link against 
them (from ports).
I do not think this is possible without a great deal of build 
infrastructure work; certainly just a special category of port is 
insufficient, as it sould still have the update problem.
Though perhaps my vision is not exactly what you are aiming for ...

>
> Using the above idea, perhaps we could have ISOs or the like available
> that include these 'base-integrated' ports pre-installed, thus giving
> users the ability to (effectively) have an out-of-the-box solution that
> included LDAP support, etc., while still having these 'base-integrated'
> ports loosely coupled with the base OS.  The concept could keep the base
> system lean, but provide the flexibility that users desire.

People seem to have concerns about the ability of (some) mirrors to cope 
with huge piles of data, particularly in the context of regularly updated 
package sets from ports.  Those concerns would seem to apply to this as 
well, as it would apply a scaling factor to the number of isos involved.
Now, having an extra option in the installer "Do you want to install the 
LDAP package? (y/n)" is another matter, and potentially doable.  (Though 
given that perl was pulled *out* of this near-base status in the fairly 
recent past does give one pause ...)

>
> Obviously there are some complexities associated with implementing the
> framework and details that would need to be worked out, but this could
> address:
> -The desire to keep the base system lean
> -The desire to provide certain features out-of-the-box
> -The ability to keep these 'base-integrated' ports more current in terms
> of features/functionality

My main concern is with respect to the third point, in making sure that 
there do not creep in interdependencies that make updating the port 
components complicated or fragile.

-Ben Kaduk