From owner-freebsd-security@FreeBSD.ORG Sun Sep 25 00:41:15 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CA8B1065670 for ; Sun, 25 Sep 2011 00:41:15 +0000 (UTC) (envelope-from rpsfa@rit.edu) Received: from fast.rit.edu (fast.rit.edu [129.21.182.30]) by mx1.freebsd.org (Postfix) with ESMTP id 287268FC08 for ; Sun, 25 Sep 2011 00:41:14 +0000 (UTC) Received: from fast.rit.edu (localhost.rit.edu [127.0.0.1]) by fast.rit.edu (Postfix) with ESMTP id F20E91D141; Sat, 24 Sep 2011 20:12:59 -0400 (EDT) X-Virus-Scanned: by amavisd-new at fast.rit.edu Received: from fast.rit.edu ([127.0.0.1]) by fast.rit.edu (fast.rit.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k07SKlkdydJq; Sat, 24 Sep 2011 20:12:59 -0400 (EDT) Received: from syn.rit.edu (syn.rit.edu [129.21.182.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by fast.rit.edu (Postfix) with ESMTPS id 12D491D138; Sat, 24 Sep 2011 20:12:59 -0400 (EDT) Received: from syn.rit.edu (localhost.rit.edu [127.0.0.1]) by syn.rit.edu (8.14.4/8.14.3) with ESMTP id p8P0CwwD076986; Sat, 24 Sep 2011 20:12:58 -0400 (EDT) (envelope-from rpsfa@rit.edu) Received: (from zi@localhost) by syn.rit.edu (8.14.4/8.14.3/Submit) id p8P0Cw1m076762; Sat, 24 Sep 2011 20:12:58 -0400 (EDT) (envelope-from rpsfa@rit.edu) Date: Sat, 24 Sep 2011 20:12:58 -0400 From: Ryan Steinmetz To: "Hartmann, O." Message-ID: <20110925001258.GA28508@fast.rit.edu> References: <86boukbk8s.fsf@ds4.des.no> <4E73C163.9040601@llnl.gov> <4E7492FE.2090506@zedat.fu-berlin.de> <20110917135341.GA23643@fast.rit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110917135341.GA23643@fast.rit.edu> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org, Mike Carlson Subject: Re: PAM modules -> LDAP! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Sep 2011 00:41:15 -0000 On (09/17/11 14:30), Hartmann, O. wrote: > On 09/16/11 23:36, Mike Carlson wrote: > > On 09/16/2011 08:05 AM, Dag-Erling Sm??rgrav wrote: > >> We currently have a number of PAM modules in ports, and while some of > >> them are specific to certain third-party software, many aren't. I > >> believe we would benefit from importing at least some of these into > >> base. My question is: which ones? > >> > >> DES > > LDAP support out of the box would be fantastic. > > > > Mike C > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > Also a strong vote for LDAP support. LDAP is our backend for several > server systems and it is a kind of pain > having to think first for the ports to be installed. Also I suspect and > hope a better integration if LDAP gets > part of the core system. > > Regards, > Oliver > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" I think some caution should be used whenever we discuss merging things into the base system. There may be other ways of achieving the same functionality, without the challenges that come with merging things directly into the base system. Ports tend to be easier to update (in terms of version bumps/features additions) when compared to things that become part of base. I think an interesting concept would be something that gave us the ability to (easily) tie certain ports into software from the base system. Something that would allow the software to be more easily kept current. Perhaps this could be done via some sort of base-integrated ports category that require extra-special care/controls when being updated. Using the above idea, perhaps we could have ISOs or the like available that include these 'base-integrated' ports pre-installed, thus giving users the ability to (effectively) have an out-of-the-box solution that included LDAP support, etc., while still having these 'base-integrated' ports loosely coupled with the base OS. The concept could keep the base system lean, but provide the flexibility that users desire. Obviously there are some complexities associated with implementing the framework and details that would need to be worked out, but this could address: -The desire to keep the base system lean -The desire to provide certain features out-of-the-box -The ability to keep these 'base-integrated' ports more current in terms of features/functionality -r -- Ryan Steinmetz PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2