On Wed, Aug 23, 2006 at 01:33:01PM -0700, Doug Barton wrote: > Michael Bushkov wrote: > > Hi, > > First, thanks to all FreeBSD people and to Google for the great summer! > > As the SoC deadline has almost arrived, I'm glad to post most of this > > summer's work results. > > Congratulations on your success with this project! > > > OpenLDAP + rewritten-from-scratch nss_ldap + nsswitch with separate > > shared nss-modules patch. > > To have > > it in the tree, OpenLDAP was also needed to be placed in the tree. > > Here is where (once again) we have a difference of opinion. I still believe > strongly that the nss_ldap part of your work should be a port, with a > dependency on the openldap in ports. I've stated my reasoning on this in the > previous thread, so I won't rehash it here unless someone asks. I would like > to point out though that I feel the numerous problems raised in this thread > give even more weight to the request that I, and others made not to have it > incorporated into the base. > > This in no way is meant to indicate that your work has no value, or is > somehow "less valuable" than work that is actually in the base. It is simply > a realistic reflection of the fact that this facility will be needed by a > small percentage of FreeBSD users, and the difficulties (costs) outweigh the > corresponding benefit. I disagree. Having authentication functions outside the base makes them more vulnerable to configuration problems and general library cross threading. It also means they can't work out of the box. I think the costs are likely fairly small (no worse than those associated with OpenSSL) and the benefits are substantial. I suspect you are correct that a large portion of FreeBSD users don't need LDAP authentication, but I believe our long-term future depends in part on attracting the types of institutional users who do need it. I think we need to get to the point where we can authenticate against LDAPish systems such as Active Directory without substantially more configuration then is currently required for nis. Currently joining the NIS/NFS cluster in our department requires adding the following lines to /etc/rc.conf and copying over our standard amd.conf: nisdomainname="XXX" nis_client_enable="YES" amd_enable="YES" amd_flags="" nfs_client_enable="YES" That's it and that's where we need to be with regard to modern LDAP based directory services if we want people with central authentication and authorization system to take us seriously. Personally, I'd like to see at least some of the command line client tools imported as well and the ldap libraries. -- Brooks
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:59 UTC