From owner-freebsd-hackers@FreeBSD.ORG Thu Jan 11 17:08:26 2007 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4A65216A415 for ; Thu, 11 Jan 2007 17:08:26 +0000 (UTC) (envelope-from davidn@datalinktech.com.au) Received: from customer-domains.icp-qv1-irony14.iinet.net.au (customer-domains.icp-qv1-irony14.iinet.net.au [203.59.1.169]) by mx1.freebsd.org (Postfix) with ESMTP id BA7DA13C4A8 for ; Thu, 11 Jan 2007 17:08:25 +0000 (UTC) (envelope-from davidn@datalinktech.com.au) Received: from 203-206-162-119.perm.iinet.net.au (HELO mail.datalinktech.com.au) ([203.206.162.119]) by iinet-mail.icp-qv1-irony14.iinet.net.au with ESMTP; 12 Jan 2007 01:57:55 +0900 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ao8CAL76pUXLzqJ3/2dsb2JhbAA X-IronPort-AV: i="4.13,174,1167577200"; d="scan'208"; a="90353703:sNHT15231090" Received: from [192.168.69.138] ([192.168.69.138]) by mail.datalinktech.com.au with esmtp; Fri, 12 Jan 2007 03:57:38 +1100 id 0017B854.45A66C82.00004602 Message-ID: <45A66C89.4070405@datalinktech.com.au> Date: Fri, 12 Jan 2007 03:57:45 +1100 From: David Nugent User-Agent: Thunderbird 1.5.0.9 (X11/20070109) MIME-Version: 1.0 To: Vulpes Velox References: <60737.24.71.119.183.1168496463.squirrel@webmail.sd73.bc.ca> <45A5EA3B.9020000@datalinktech.com.au> <20070111035549.7c11a450@vixen42> In-Reply-To: <20070111035549.7c11a450@vixen42> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: hackers@freebsd.org Subject: Re: LDAP integration X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jan 2007 17:08:26 -0000 Vulpes Velox wrote: > I vote both are completely stupid. LDAP is nice organizing across > many systems, but if you are just dealing with one computer it is > complete over kill for any thing. Splitting rc.conf up into > multiple files is just plain messy and stupid as well. I can see > there being times when it is split into two, but I don't see any > reason for more than that. > This is a UI issue. I personally prefer one file, I don't have to wade though directories searching for any specific knob. :) > There are plenty of nice ways to access and modify LDAP data. I would > say it is easily as friendly as editing text files to be pulled > across. > .. and can be scripted in a variety of languages. > I fail to see how LDAP is not a standard tool. It is a tool that is > really under utilized. > Because it is a tool that incurs a cost to learn, configure and deploy. I'm not denying the benefits at all. But I think it must be an option, at least until the advantages gain momentum. > What this gains is being able to store a lot of configuration stuff > in the same place. It makes permission handling a lot easier as well. > If you store it in a file any one with write access can edit it, but > with LDAP it can assign write access to specific attributes. With > files you would have to split it up across multiple files. > Again, there is a cost. You would be adding a third security framework to an ldap enabled system (we already have unix credentials overlaid by the MAC framework to which we add ldap directory rights), and they need to relate in some way since they are dependent when supporting a consistent security profile. LDAP ACLs and understanding issues such as DIT structure, schemas, properties and attributes and how and why of ldap searches doesn't come naturally either, so you're dealing with a non-trivial learning curve. The benefits are plain to the 'already enlightened' but difficult to convince those who are not unless there is a very real problem to solve, not just a desire to deploy the technology for whatever reason. Maybe the technology will eventually become completely robust, easily installed and managed and offer some very significant benefits. I may be wrong, but I don't think we are at that point quite yet, but I'd certainly like to see it happen and probably will at some point in the future. Regards, -d