From owner-freebsd-current@FreeBSD.ORG Wed Aug 23 20:55:29 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8E2116A4DA; Wed, 23 Aug 2006 20:55:28 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from sccmmhc92.asp.att.net (sccmmhc92.asp.att.net [204.127.203.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 539A443D46; Wed, 23 Aug 2006 20:55:28 +0000 (GMT) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net ([12.207.12.9]) by sccmmhc92.asp.att.net (sccmmhc92) with ESMTP id <20060823205526m92002s838e>; Wed, 23 Aug 2006 20:55:27 +0000 Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.13.6/8.13.6) with ESMTP id k7NKtObK028219; Wed, 23 Aug 2006 15:55:24 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.13.6/8.13.6/Submit) id k7NKtN6F028218; Wed, 23 Aug 2006 15:55:23 -0500 (CDT) (envelope-from brooks) Date: Wed, 23 Aug 2006 15:55:23 -0500 From: Brooks Davis To: Doug Barton Message-ID: <20060823205523.GB27961@lor.one-eyed-alien.net> References: <44E9582C.2010400@rsu.ru> <44ECBB7D.4090905@FreeBSD.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="98e8jtXdkpgskNou" Content-Disposition: inline In-Reply-To: <44ECBB7D.4090905@FreeBSD.org> User-Agent: Mutt/1.5.11 Cc: freebsd-current@freebsd.org, Michael Bushkov Subject: Re: [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch and more (SoC) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 20:55:29 -0000 --98e8jtXdkpgskNou Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 23, 2006 at 01:33:01PM -0700, Doug Barton wrote: > Michael Bushkov wrote: > > Hi, > > First, thanks to all FreeBSD people and to Google for the great summer! > > As the SoC deadline has almost arrived, I'm glad to post most of this > > summer's work results. >=20 > Congratulations on your success with this project! >=20 > > OpenLDAP + rewritten-from-scratch nss_ldap + nsswitch with separate > > shared nss-modules patch. > > To have > > it in the tree, OpenLDAP was also needed to be placed in the tree. >=20 > Here is where (once again) we have a difference of opinion. I still belie= ve > strongly that the nss_ldap part of your work should be a port, with a > dependency on the openldap in ports. I've stated my reasoning on this in = the > previous thread, so I won't rehash it here unless someone asks. I would l= ike > to point out though that I feel the numerous problems raised in this thre= ad > give even more weight to the request that I, and others made not to have = it > incorporated into the base. >=20 > This in no way is meant to indicate that your work has no value, or is > somehow "less valuable" than work that is actually in the base. It is sim= ply > a realistic reflection of the fact that this facility will be needed by a > small percentage of FreeBSD users, and the difficulties (costs) outweigh = the > corresponding benefit. I disagree. Having authentication functions outside the base makes them more vulnerable to configuration problems and general library cross threading. It also means they can't work out of the box. I think the costs are likely fairly small (no worse than those associated with OpenSSL) and the benefits are substantial. I suspect you are correct that a large portion of FreeBSD users don't need LDAP authentication, but I believe our long-term future depends in part on attracting the types of institutional users who do need it. I think we need to get to the point where we can authenticate against LDAPish systems such as Active Directory without substantially more configuration then is currently required for nis. Currently joining the NIS/NFS cluster in our department requires adding the following lines to /etc/rc.conf and copying over our standard amd.conf: nisdomainname=3D"XXX" nis_client_enable=3D"YES" amd_enable=3D"YES" amd_flags=3D"" nfs_client_enable=3D"YES" That's it and that's where we need to be with regard to modern LDAP based directory services if we want people with central authentication and authorization system to take us seriously. Personally, I'd like to see at least some of the command line client tools imported as well and the ldap libraries. -- Brooks --98e8jtXdkpgskNou Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE7MC6XY6L6fI4GtQRAtBVAKCgeeOKMHDTvuenOXLge9/B4g7x0ACgg4A4 nkjVXD6mCFvOCUdCk8iq9ZU= =24Vr -----END PGP SIGNATURE----- --98e8jtXdkpgskNou--