PAM modules -> LDAP!
Benjamin Kaduk
kaduk at MIT.EDU
Sun Sep 25 03:14:01 UTC 2011
On Sat, 24 Sep 2011, Ryan Steinmetz wrote:
>
> I think an interesting concept would be something that gave us the
> ability to (easily) tie certain ports into software from the base system.
> Something that would allow the software to be more easily kept current.
> Perhaps this could be done via some sort of base-integrated ports
> category that require extra-special care/controls when being updated.
I would very much love a way to tie certain ports into the base system, by
which I mean have the base system utilities link against libraries
provided by a port. (My particular example at hand would be to link ssh
and friends against MIT kerberos from ports, but there are a goodly number
of other examples.) Yet, in order for the benefits of ports to work,
there would need to be a way to hook into the base system to get these
utilities updated with port updates, and probably a way to disable the
base system version of the libraries but still have utilities link against
them (from ports).
I do not think this is possible without a great deal of build
infrastructure work; certainly just a special category of port is
insufficient, as it sould still have the update problem.
Though perhaps my vision is not exactly what you are aiming for ...
>
> Using the above idea, perhaps we could have ISOs or the like available
> that include these 'base-integrated' ports pre-installed, thus giving
> users the ability to (effectively) have an out-of-the-box solution that
> included LDAP support, etc., while still having these 'base-integrated'
> ports loosely coupled with the base OS. The concept could keep the base
> system lean, but provide the flexibility that users desire.
People seem to have concerns about the ability of (some) mirrors to cope
with huge piles of data, particularly in the context of regularly updated
package sets from ports. Those concerns would seem to apply to this as
well, as it would apply a scaling factor to the number of isos involved.
Now, having an extra option in the installer "Do you want to install the
LDAP package? (y/n)" is another matter, and potentially doable. (Though
given that perl was pulled *out* of this near-base status in the fairly
recent past does give one pause ...)
>
> Obviously there are some complexities associated with implementing the
> framework and details that would need to be worked out, but this could
> address:
> -The desire to keep the base system lean
> -The desire to provide certain features out-of-the-box
> -The ability to keep these 'base-integrated' ports more current in terms
> of features/functionality
My main concern is with respect to the third point, in making sure that
there do not creep in interdependencies that make updating the port
components complicated or fragile.
-Ben Kaduk
More information about the freebsd-security
mailing list