From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 14:14:18 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D9311065677; Wed, 21 Sep 2011 14:14:18 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (lor.one-eyed-alien.net [69.66.77.232]) by mx1.freebsd.org (Postfix) with ESMTP id B26228FC18; Wed, 21 Sep 2011 14:14:16 +0000 (UTC) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.14.4/8.14.4) with ESMTP id p8LDgo12061962; Wed, 21 Sep 2011 08:42:50 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.14.4/8.14.4/Submit) id p8LDgmvI061961; Wed, 21 Sep 2011 08:42:48 -0500 (CDT) (envelope-from brooks) Date: Wed, 21 Sep 2011 08:42:48 -0500 From: Brooks Davis To: d@delphij.net Message-ID: <20110921134248.GA55273@lor.one-eyed-alien.net> References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> <4E792DEF.30209@delphij.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6" Content-Disposition: inline In-Reply-To: <4E792DEF.30209@delphij.net> User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Wed, 21 Sep 2011 15:54:00 +0000 Cc: Kostik Belousov , Dag-Erling Sm??rgrav , Lev Serebryakov , freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 14:14:18 -0000 --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 20, 2011 at 05:21:03PM -0700, Xin LI wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 >=20 > On 09/20/11 15:51, Kostik Belousov wrote: > [...] > > Yes, the question of maintanence of the OpenLDAP code in the base=20 > > is not trivial by any means. I remember that openldap once broke=20 > > the ABI on its stable-like branch. >=20 > That happen a few times however these are either not essential client > library (libldap and liblber) API or it's not changing parameters or > removing interfaces. Moreover, like the base libbsdxml.so, it's only > intended to be used by base system only so it's relatively easier to > maintain ABI stability, e.g. we can probably just expose only symbols > that we use, etc. >=20 > > Having API renamed during the import for the actively-developed > > third-party component is probably a stopper. I am aware of the > > rename done for ssh import in ssh_namespace.h, but I do not think > > such approach scale. >=20 > That's right. We did use a similar approach but again, if it's just > libldap and liblber, the change would be quite slow over years. We do > need to patch files. >=20 > > Would the import of openldap and nss + pam ldap modules in src/ > > give any benefits over having openldap and ldap nss + pam modules > > on the dvd1 ? >=20 > Well, for ldap nss + pam models, people usually want them to "just > work" rather than wanting new features provided by a port installed > OpenLDAP. That's said, the user expects he can update any port > without risking into being locked out from the system plus these > modules can be upgraded or updated with existing binary update mechanisms. This is certainly the largest benefit. I used a variant of pam_ldap for authentication at $WORK for many years and the instability of the OpenLDAP API was a constant headache. That isn't to say that importing it into base is the only possible solution. It is likely the most straightforward. -- Brooks --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iD8DBQFOeenYXY6L6fI4GtQRApF3AKCXGpfYzayedoJZyZ7A9TjfWpO5agCgnJ0y ZcN/P6gSlw3U+plhXoKS8kI= =Rgwm -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6--