Date: Tue, 30 Jan 2024 23:56:26 -0600 From: Larry Rosenman <ler@FreeBSD.org> To: Cy Schubert <Cy.Schubert@cschubert.com> Cc: ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org Subject: Re: git: 94eda313a9d5 - main - mail/dovecot: add LDAP as a default option Message-ID: <6bf993503f708ff198907655c80b9b91@FreeBSD.org> In-Reply-To: <20240131055438.BBDFC307@slippy.cwsent.com> References: <202401310117.40V1HFmD014823@gitrepo.freebsd.org> <20240131050508.5BF6F240@slippy.cwsent.com> <f87acd48c73fc9296e6ba3a40eccc010@FreeBSD.org> <20240131055438.BBDFC307@slippy.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/30/2024 11:54 pm, Cy Schubert wrote: > In message <f87acd48c73fc9296e6ba3a40eccc010@FreeBSD.org>, Larry > Rosenman > write > s: >> On 01/30/2024 11:05 pm, Cy Schubert wrote: >> > In message <202401310117.40V1HFmD014823@gitrepo.freebsd.org>, Larry >> > Rosenman wr >> > ites: >> >> The branch main has been updated by ler: >> >> >> >> URL: >> >> https://cgit.FreeBSD.org/ports/commit/?id=94eda313a9d5acc5ff8d00fec7a518 >> >> 62f3e346da >> >> >> >> commit 94eda313a9d5acc5ff8d00fec7a51862f3e346da >> >> Author: Larry Rosenman <ler@FreeBSD.org> >> >> AuthorDate: 2024-01-31 01:15:05 +0000 >> >> Commit: Larry Rosenman <ler@FreeBSD.org> >> >> CommitDate: 2024-01-31 01:17:13 +0000 >> >> >> >> mail/dovecot: add LDAP as a default option >> >> >> >> PR: 276741 >> >> Requested by: seichan-ml@wakhok.ne.jp >> > >> > What's the compelling reason for this? The PR doesn't say why this >> > would >> > benefit everyone and doesn't explain if any negative impacts were >> > non-existent or mitigated any way. IMO someone asking for a feature or >> > option without an analysis of impact can possibly result in a POLA >> > situation. >> > >> > Why and will this cause any POLA? >> >> POLA shouldn't be a problem except for the ldap-client lib. As to >> why, >> I didn't >> want to go through the argument with the user. I can revert it if you >> want. > > I just need to understand the rationale. It's not apparent to me. > >> >> I really want a way to split our packages like the dovecot folks do >> for >> Linux, >> but I don't have that understood yet. >> >> As I said, if the project wants me to revert it, I can. > > I use dovecot on my exterior gateway machine. It does not use my LDAP > directory nor KRB5 realm in order to insulate those services in case > this > machine is compromised. If this requires my Internet facing machine to > use > my LDAP directory (+ KRB5 realm) this may be an issue. It may also be > an > issue for those in similar circumstance. > > I don't use LDAP on my exterior machine to reduce risk to the directory > should that machine be compromised. > > With LDAP enabled in the software will I and those who don't use LDAP > have > to hook into an LDAP directory? Or does this simply add an option? Simply adds an option. If you don't put anything in the config mentioning LDAP, it's sits dormant, except for the load of the client libraries. It does not open a path to anywhere. -- Larry Rosenman http://people.freebsd.org/~ler Phone: +1 214-642-9640 E-Mail: ler@FreeBSD.org US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6bf993503f708ff198907655c80b9b91>