From owner-freebsd-stable@FreeBSD.ORG  Mon Jul 15 19:25:04 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 9D6A0E37
 for <freebsd-stable@freebsd.org>; Mon, 15 Jul 2013 19:25:04 +0000 (UTC)
 (envelope-from feld@freebsd.org)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com
 [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id 75C802C2
 for <freebsd-stable@freebsd.org>; Mon, 15 Jul 2013 19:25:04 +0000 (UTC)
Received: from compute1.internal (compute1.nyi.mail.srv.osa [10.202.2.41])
 by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id EEEFC21379
 for <freebsd-stable@freebsd.org>; Mon, 15 Jul 2013 15:25:03 -0400 (EDT)
Received: from web3 ([10.202.2.213])
 by compute1.internal (MEProxy); Mon, 15 Jul 2013 15:25:03 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
 messagingengine.com; h=message-id:from:to:mime-version
 :content-transfer-encoding:content-type:in-reply-to:references
 :subject:date; s=smtpout; bh=R3eG+8n1AUWVBUV1neiFvrRaSwY=; b=Ba0
 8Xs5f8VNtoiQhUQPEyPrFxYeIVhk7ZI1T1uqYqd+FF9wKbzM3Zm31yO9zu79Yv5X
 x3yvXGzTOv0PBf/ow6QfdjT7wJ79pYHkfGoMcIar8NgBwTxrxci4xoGAvrlNjLWU
 0PrW/c6X1/iI0nQyqr2SGu3sHCTvGvwPdOqhumh4=
Received: by web3.nyi.mail.srv.osa (Postfix, from userid 99)
 id D4696B00003; Mon, 15 Jul 2013 15:25:03 -0400 (EDT)
Message-Id: <1373916303.17449.140661255966229.44609E69@webmail.messagingengine.com>
X-Sasl-Enc: smnRErBnemUGJoKkCEyJQU8e0kq+m6W91JqTLZLMwEDZ 1373916303
From: Mark Felder <feld@freebsd.org>
To: freebsd-stable@freebsd.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
X-Mailer: MessagingEngine.com Webmail Interface - ajax-bdcdd1cb
In-Reply-To: <51E44B55.6030005@rlwinm.de>
References: <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net>
 <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com>
 <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net>
 <51E44B55.6030005@rlwinm.de>
Subject: Re: LDAP authentication confusion
Date: Mon, 15 Jul 2013 14:25:03 -0500
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2013 19:25:04 -0000

On Mon, Jul 15, 2013, at 14:19, Jan Bramkamp wrote:
> 
> More than that. In my opinion it should be updated by replacing nss_ldap
> and pam_ldap with nss-pam-ldapd which splits the job of both into a
> shared daemon talking to the LDAP server and small stubs linked into the
> NSS / PAM using process talking to the local daemon. This allows useable
> timeout handling and client certificates with save permissions.
> 

And if the daemon ever crashes, we can't login to our customer servers
(assuming they nuked our local account because they have root access).

That's the one issue I have with that daemon and why we haven't migrated
to it. We should re-evaluate it, though.