Date: Fri, 12 Jan 2007 03:57:45 +1100 From: David Nugent <davidn@datalinktech.com.au> To: Vulpes Velox <v.velox@vvelox.net> Cc: hackers@freebsd.org Subject: Re: LDAP integration Message-ID: <45A66C89.4070405@datalinktech.com.au> In-Reply-To: <20070111035549.7c11a450@vixen42> References: <60737.24.71.119.183.1168496463.squirrel@webmail.sd73.bc.ca> <45A5EA3B.9020000@datalinktech.com.au> <20070111035549.7c11a450@vixen42>
next in thread | previous in thread | raw e-mail | index | archive | help
Vulpes Velox wrote: > I vote both are completely stupid. LDAP is nice organizing across > many systems, but if you are just dealing with one computer it is > complete over kill for any thing. Splitting rc.conf up into > multiple files is just plain messy and stupid as well. I can see > there being times when it is split into two, but I don't see any > reason for more than that. > This is a UI issue. I personally prefer one file, I don't have to wade though directories searching for any specific knob. :) > There are plenty of nice ways to access and modify LDAP data. I would > say it is easily as friendly as editing text files to be pulled > across. > .. and can be scripted in a variety of languages. > I fail to see how LDAP is not a standard tool. It is a tool that is > really under utilized. > Because it is a tool that incurs a cost to learn, configure and deploy. I'm not denying the benefits at all. But I think it must be an option, at least until the advantages gain momentum. > What this gains is being able to store a lot of configuration stuff > in the same place. It makes permission handling a lot easier as well. > If you store it in a file any one with write access can edit it, but > with LDAP it can assign write access to specific attributes. With > files you would have to split it up across multiple files. > Again, there is a cost. You would be adding a third security framework to an ldap enabled system (we already have unix credentials overlaid by the MAC framework to which we add ldap directory rights), and they need to relate in some way since they are dependent when supporting a consistent security profile. LDAP ACLs and understanding issues such as DIT structure, schemas, properties and attributes and how and why of ldap searches doesn't come naturally either, so you're dealing with a non-trivial learning curve. The benefits are plain to the 'already enlightened' but difficult to convince those who are not unless there is a very real problem to solve, not just a desire to deploy the technology for whatever reason. Maybe the technology will eventually become completely robust, easily installed and managed and offer some very significant benefits. I may be wrong, but I don't think we are at that point quite yet, but I'd certainly like to see it happen and probably will at some point in the future. Regards, -d
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45A66C89.4070405>