Date: Wed, 21 Sep 2011 08:42:48 -0500 From: Brooks Davis <brooks@freebsd.org> To: d@delphij.net Cc: Kostik Belousov <kostikbel@gmail.com>, Dag-Erling Sm??rgrav <des@des.no>, Lev Serebryakov <lev@freebsd.org>, freebsd-security@freebsd.org Subject: Re: PAM modules Message-ID: <20110921134248.GA55273@lor.one-eyed-alien.net> In-Reply-To: <4E792DEF.30209@delphij.net> References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> <4E792DEF.30209@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 20, 2011 at 05:21:03PM -0700, Xin LI wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 >=20 > On 09/20/11 15:51, Kostik Belousov wrote: > [...] > > Yes, the question of maintanence of the OpenLDAP code in the base=20 > > is not trivial by any means. I remember that openldap once broke=20 > > the ABI on its stable-like branch. >=20 > That happen a few times however these are either not essential client > library (libldap and liblber) API or it's not changing parameters or > removing interfaces. Moreover, like the base libbsdxml.so, it's only > intended to be used by base system only so it's relatively easier to > maintain ABI stability, e.g. we can probably just expose only symbols > that we use, etc. >=20 > > Having API renamed during the import for the actively-developed > > third-party component is probably a stopper. I am aware of the > > rename done for ssh import in ssh_namespace.h, but I do not think > > such approach scale. >=20 > That's right. We did use a similar approach but again, if it's just > libldap and liblber, the change would be quite slow over years. We do > need to patch files. >=20 > > Would the import of openldap and nss + pam ldap modules in src/ > > give any benefits over having openldap and ldap nss + pam modules > > on the dvd1 ? >=20 > Well, for ldap nss + pam models, people usually want them to "just > work" rather than wanting new features provided by a port installed > OpenLDAP. That's said, the user expects he can update any port > without risking into being locked out from the system plus these > modules can be upgraded or updated with existing binary update mechanisms. This is certainly the largest benefit. I used a variant of pam_ldap for authentication at $WORK for many years and the instability of the OpenLDAP API was a constant headache. That isn't to say that importing it into base is the only possible solution. It is likely the most straightforward. -- Brooks --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iD8DBQFOeenYXY6L6fI4GtQRApF3AKCXGpfYzayedoJZyZ7A9TjfWpO5agCgnJ0y ZcN/P6gSlw3U+plhXoKS8kI= =Rgwm -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110921134248.GA55273>