Re: [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch and more (SoC)
- From: Brooks Davis <brooks@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 23 Aug 2006 15:55:23 -0500
On Wed, Aug 23, 2006 at 01:33:01PM -0700, Doug Barton wrote:
Michael Bushkov wrote:
Hi,
First, thanks to all FreeBSD people and to Google for the great summer!
As the SoC deadline has almost arrived, I'm glad to post most of this
summer's work results.
Congratulations on your success with this project!
OpenLDAP + rewritten-from-scratch nss_ldap + nsswitch with separate
shared nss-modules patch.
To have
it in the tree, OpenLDAP was also needed to be placed in the tree.
Here is where (once again) we have a difference of opinion. I still believe
strongly that the nss_ldap part of your work should be a port, with a
dependency on the openldap in ports. I've stated my reasoning on this in the
previous thread, so I won't rehash it here unless someone asks. I would like
to point out though that I feel the numerous problems raised in this thread
give even more weight to the request that I, and others made not to have it
incorporated into the base.
This in no way is meant to indicate that your work has no value, or is
somehow "less valuable" than work that is actually in the base. It is simply
a realistic reflection of the fact that this facility will be needed by a
small percentage of FreeBSD users, and the difficulties (costs) outweigh the
corresponding benefit.
I disagree. Having authentication functions outside the base makes them
more vulnerable to configuration problems and general library cross
threading. It also means they can't work out of the box. I think the
costs are likely fairly small (no worse than those associated with
OpenSSL) and the benefits are substantial. I suspect you are correct
that a large portion of FreeBSD users don't need LDAP authentication,
but I believe our long-term future depends in part on attracting the
types of institutional users who do need it. I think we need to get to
the point where we can authenticate against LDAPish systems such as
Active Directory without substantially more configuration then is
currently required for nis. Currently joining the NIS/NFS cluster in
our department requires adding the following lines to /etc/rc.conf and
copying over our standard amd.conf:
nisdomainname="XXX"
nis_client_enable="YES"
amd_enable="YES"
amd_flags=""
nfs_client_enable="YES"
That's it and that's where we need to be with regard to modern LDAP
based directory services if we want people with central authentication
and authorization system to take us seriously.
Personally, I'd like to see at least some of the command line client
tools imported as well and the ldap libraries.
-- Brooks
Attachment:
pgpQzdLspCgyY.pgp
Description: PGP signature
- Follow-Ups:
- Re: [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch and more (SoC)
- From: Peter Jeremy
- Re: [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch and more (SoC)
- References:
- [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch and more (SoC)
- From: Michael Bushkov
- Re: [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch and more (SoC)
- From: Doug Barton
- [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch and more (SoC)
- Prev by Date: Re: call for bge(4) testers
- Next by Date: Re: Cardbus problem
- Previous by thread: Re: [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch and more (SoC)
- Next by thread: Re: [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch and more (SoC)
- Index(es):
Relevant Pages
|
|
