From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 17:10:54 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4448106566B for ; Wed, 21 Sep 2011 17:10:54 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-yi0-f54.google.com (mail-yi0-f54.google.com [209.85.218.54]) by mx1.freebsd.org (Postfix) with ESMTP id 56C7A8FC17 for ; Wed, 21 Sep 2011 17:10:53 +0000 (UTC) Received: by yia13 with SMTP id 13so1684391yia.13 for ; Wed, 21 Sep 2011 10:10:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=NAe2Xex1tgv5VAznk2davcWSsK8crSdI3fAHu1Xz5OA=; b=Fq36wjz9WQAW/+tSHpNrfKcwirnQz973OzB7bA/aEvxwVipjQceSUncB85fkJudEeX HsHg3PV2jN1cCXuQweZ9CviDwTMfjcT1ruzbIkvkp9ZV5GIMgZkd27hXueDT/E+aI5X6 /TPSFdfrbZCPLsFyqr7ppw6WtXp+FNhWUWFlE= Received: by 10.236.187.1 with SMTP id x1mr7284948yhm.7.1316625053457; Wed, 21 Sep 2011 10:10:53 -0700 (PDT) Received: from DataIX.net (adsl-99-190-81-85.dsl.klmzmi.sbcglobal.net. [99.190.81.85]) by mx.google.com with ESMTPS id z53sm7437031yhj.7.2011.09.21.10.10.50 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 21 Sep 2011 10:10:51 -0700 (PDT) Sender: Jason Hellenthal Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id p8LHAmDu022267 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Sep 2011 13:10:48 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id p8LHAkw9022266; Wed, 21 Sep 2011 13:10:46 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Wed, 21 Sep 2011 13:10:46 -0400 From: Jason Hellenthal To: Brooks Davis Message-ID: <20110921171046.GA80753@DataIX.net> References: <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> <4E792DEF.30209@delphij.net> <20110921134248.GA55273@lor.one-eyed-alien.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110921134248.GA55273@lor.one-eyed-alien.net> Cc: Kostik Belousov , Dag-Erling Sm??rgrav , Lev Serebryakov , d@delphij.net, freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 17:10:54 -0000 On Wed, Sep 21, 2011 at 08:42:48AM -0500, Brooks Davis wrote: > On Tue, Sep 20, 2011 at 05:21:03PM -0700, Xin LI wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > On 09/20/11 15:51, Kostik Belousov wrote: > > [...] > > > Yes, the question of maintanence of the OpenLDAP code in the base > > > is not trivial by any means. I remember that openldap once broke > > > the ABI on its stable-like branch. > > > > That happen a few times however these are either not essential client > > library (libldap and liblber) API or it's not changing parameters or > > removing interfaces. Moreover, like the base libbsdxml.so, it's only > > intended to be used by base system only so it's relatively easier to > > maintain ABI stability, e.g. we can probably just expose only symbols > > that we use, etc. > > > > > Having API renamed during the import for the actively-developed > > > third-party component is probably a stopper. I am aware of the > > > rename done for ssh import in ssh_namespace.h, but I do not think > > > such approach scale. > > > > That's right. We did use a similar approach but again, if it's just > > libldap and liblber, the change would be quite slow over years. We do > > need to patch files. > > > > > Would the import of openldap and nss + pam ldap modules in src/ > > > give any benefits over having openldap and ldap nss + pam modules > > > on the dvd1 ? > > > > Well, for ldap nss + pam models, people usually want them to "just > > work" rather than wanting new features provided by a port installed > > OpenLDAP. That's said, the user expects he can update any port > > without risking into being locked out from the system plus these > > modules can be upgraded or updated with existing binary update mechanisms. > > This is certainly the largest benefit. I used a variant of pam_ldap for > authentication at $WORK for many years and the instability of the > OpenLDAP API was a constant headache. > > That isn't to say that importing it into base is the only possible > solution. It is likely the most straightforward. > Base package system that comes pre-installed ? or just ships with the discs ? > -- Brooks