From owner-freebsd-hackers@FreeBSD.ORG Sat Oct 30 12:49:31 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50CAD16A4CE for ; Sat, 30 Oct 2004 12:49:31 +0000 (GMT) Received: from 9.hellooperator.net (cpc3-cdif2-3-0-cust202.cdif.cable.ntl.com [81.103.32.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4A0E43D45 for ; Sat, 30 Oct 2004 12:49:30 +0000 (GMT) (envelope-from rasputnik@hellooperator.net) Received: from [10.4.0.1] (helo=bingo.tenfour) by 9.hellooperator.net with esmtp (Exim 4.43) id 1CNsea-0005QK-AD for freebsd-hackers@freebsd.org; Sat, 30 Oct 2004 13:48:20 +0100 Received: from rasputnik by bingo.tenfour with local (Exim 4.43 (FreeBSD)) id 1CNsfg-000610-Ub for freebsd-hackers@freebsd.org; Sat, 30 Oct 2004 13:49:28 +0100 Date: Sat, 30 Oct 2004 13:49:28 +0100 From: Dick Davies To: FreeBSD Hackers Message-ID: <20041030124928.GE7262@bingo.tenfour> References: <20041030024557.53081.qmail@web51805.mail.yahoo.com> <20041030112057.GD7262@bingo.tenfour> <20041030114301.GB960@britannica.bec.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041030114301.GB960@britannica.bec.de> User-Agent: Mutt/1.4.2.1i X-Spam-Score: -1.2 (-) Subject: Re: Feature request (pam/nss ldap, nsswitch ldap integration) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Oct 2004 12:49:31 -0000 * Joerg Sonnenberger [1043 12:43]: > On Sat, Oct 30, 2004 at 12:20:58PM +0100, Dick Davies wrote: > > Trouble is openldap is one of those things everyone wants to configure > > themselves - do you enable SASL support or not, what backends do you use > > etc? > > IIRC SASL is pretty mandatory to correctly implement LDAP v3. Bigger > question is GSSAPI (Kerberos 5!) and the backend. > > [..] > > And it raises other questions, for example how do you handle mergemaster > > when half your accounts are in LDAP and not the system databases? > > You should _not_ put system accounts into LDAP, that's that just wrong. > So having them in the local database (whatever type that is) should work > fine with mergemaster. I can see why you say that, but there are times when it's useful (rsyncing between different OSes for starters where you want to preserve permissions, for example - you don't have to ensure that all /etc/passwd, /etc/shadow, whatever happen to have the same uid listed in this case). -- The pie is ready. You guys like swarms of things, right? - Bender Rasputin :: Jack of All Trades - Master of Nuns