Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 23 Aug 2006 15:55:23 -0500
From:      Brooks Davis <brooks@one-eyed-alien.net>
To:        Doug Barton <dougb@freebsd.org>
Cc:        freebsd-current@freebsd.org, Michael Bushkov <bushman@rsu.ru>
Subject:   Re: [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch and more (SoC)
Message-ID:  <20060823205523.GB27961@lor.one-eyed-alien.net>
In-Reply-To: <44ECBB7D.4090905@FreeBSD.org>
References:  <44E9582C.2010400@rsu.ru> <44ECBB7D.4090905@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--98e8jtXdkpgskNou
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 23, 2006 at 01:33:01PM -0700, Doug Barton wrote:
> Michael Bushkov wrote:
> > Hi,
> > First, thanks to all FreeBSD people and to Google for the great summer!
> > As the SoC deadline has almost arrived, I'm glad to post most of this
> > summer's work results.
>=20
> Congratulations on your success with this project!
>=20
> > OpenLDAP + rewritten-from-scratch nss_ldap + nsswitch with separate
> > shared nss-modules patch.
> > To have
> > it in the tree, OpenLDAP was also needed to be placed in the tree.
>=20
> Here is where (once again) we have a difference of opinion. I still belie=
ve
> strongly that the nss_ldap part of your work should be a port, with a
> dependency on the openldap in ports. I've stated my reasoning on this in =
the
> previous thread, so I won't rehash it here unless someone asks. I would l=
ike
> to point out though that I feel the numerous problems raised in this thre=
ad
> give even more weight to the request that I, and others made not to have =
it
> incorporated into the base.
>=20
> This in no way is meant to indicate that your work has no value, or is
> somehow "less valuable" than work that is actually in the base. It is sim=
ply
> a realistic reflection of the fact that this facility will be needed by a
> small percentage of FreeBSD users, and the difficulties (costs) outweigh =
the
> corresponding benefit.

I disagree.  Having authentication functions outside the base makes them
more vulnerable to configuration problems and general library cross
threading.  It also means they can't work out of the box.  I think the
costs are likely fairly small (no worse than those associated with
OpenSSL) and the benefits are substantial.  I suspect you are correct
that a large portion of FreeBSD users don't need LDAP authentication,
but I believe our long-term future depends in part on attracting the
types of institutional users who do need it.  I think we need to get to
the point where we can authenticate against LDAPish systems such as
Active Directory without substantially more configuration then is
currently required for nis.  Currently joining the NIS/NFS cluster in
our department requires adding the following lines to /etc/rc.conf and
copying over our standard amd.conf:

nisdomainname=3D"XXX"
nis_client_enable=3D"YES"
amd_enable=3D"YES"
amd_flags=3D""
nfs_client_enable=3D"YES"

That's it and that's where we need to be with regard to modern LDAP
based directory services if we want people with central authentication
and authorization system to take us seriously.

Personally, I'd like to see at least some of the command line client
tools imported as well and the ldap libraries.

-- Brooks

--98e8jtXdkpgskNou
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFE7MC6XY6L6fI4GtQRAtBVAKCgeeOKMHDTvuenOXLge9/B4g7x0ACgg4A4
nkjVXD6mCFvOCUdCk8iq9ZU=
=24Vr
-----END PGP SIGNATURE-----

--98e8jtXdkpgskNou--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060823205523.GB27961>