Date: Wed, 21 Sep 2011 13:10:46 -0400 From: Jason Hellenthal <jhell@DataIX.net> To: Brooks Davis <brooks@freebsd.org> Cc: Kostik Belousov <kostikbel@gmail.com>, Dag-Erling Sm??rgrav <des@des.no>, Lev Serebryakov <lev@freebsd.org>, d@delphij.net, freebsd-security@freebsd.org Subject: Re: PAM modules Message-ID: <20110921171046.GA80753@DataIX.net> In-Reply-To: <20110921134248.GA55273@lor.one-eyed-alien.net> References: <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> <4E792DEF.30209@delphij.net> <20110921134248.GA55273@lor.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 21, 2011 at 08:42:48AM -0500, Brooks Davis wrote: > On Tue, Sep 20, 2011 at 05:21:03PM -0700, Xin LI wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > On 09/20/11 15:51, Kostik Belousov wrote: > > [...] > > > Yes, the question of maintanence of the OpenLDAP code in the base > > > is not trivial by any means. I remember that openldap once broke > > > the ABI on its stable-like branch. > > > > That happen a few times however these are either not essential client > > library (libldap and liblber) API or it's not changing parameters or > > removing interfaces. Moreover, like the base libbsdxml.so, it's only > > intended to be used by base system only so it's relatively easier to > > maintain ABI stability, e.g. we can probably just expose only symbols > > that we use, etc. > > > > > Having API renamed during the import for the actively-developed > > > third-party component is probably a stopper. I am aware of the > > > rename done for ssh import in ssh_namespace.h, but I do not think > > > such approach scale. > > > > That's right. We did use a similar approach but again, if it's just > > libldap and liblber, the change would be quite slow over years. We do > > need to patch files. > > > > > Would the import of openldap and nss + pam ldap modules in src/ > > > give any benefits over having openldap and ldap nss + pam modules > > > on the dvd1 ? > > > > Well, for ldap nss + pam models, people usually want them to "just > > work" rather than wanting new features provided by a port installed > > OpenLDAP. That's said, the user expects he can update any port > > without risking into being locked out from the system plus these > > modules can be upgraded or updated with existing binary update mechanisms. > > This is certainly the largest benefit. I used a variant of pam_ldap for > authentication at $WORK for many years and the instability of the > OpenLDAP API was a constant headache. > > That isn't to say that importing it into base is the only possible > solution. It is likely the most straightforward. > Base package system that comes pre-installed ? or just ships with the discs ? > -- Brooks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110921171046.GA80753>