Re: [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch and more (SoC)

From: Brooks Davis <brooks_at_one-eyed-alien.net>
Date: Fri, 25 Aug 2006 17:27:32 -0500
On Sat, Aug 26, 2006 at 08:00:33AM +1000, Peter Jeremy wrote:
> On Wed, 2006-Aug-23 15:55:23 -0500, Brooks Davis wrote:
> >  Having authentication functions outside the base makes them
> >more vulnerable to configuration problems and general library cross
> >threading.
> 
> Can you explain what you mean here.  Having a single OpenLDAP,
> nss_ldap etc in ports would seem to have less scope for
> misconfiguration than having one version in the base system and a
> slightly different version in ports.
> 
> There are already a number of authentication modules in ports
> that don't seem to cause serious problems.

If it's in the base you always know exactly what version is there and
we generally limit the number of build options available so it's fairly
easy to be sure you've built a set of things that actually work.
There's also no supported way to upgrade your libraries out from under a
dependency piece as happens fairly regularly in ports (yes there are ways
to avoid it, but we're talking about your login system here.  Breaking
that is really bad).

> >  It also means they can't work out of the box.
> 
> I disagree.  X11 and perl are both ports that work out-of-the-box.
> There's no reason why OpenLDAP can't be a port on CD1 - which makes
> it fairly transparent to users.

I think authentication and authorization is in a different class of
things from X and perl, but the line is certainly blurry.

> >  I think the
> >costs are likely fairly small (no worse than those associated with
> >OpenSSL) and the benefits are substantial.
> 
> As one of the majority who don't need LDAP authentication, I don't
> see any benefits to me.
>
> IMHO, FreeBSD should move towards a more modular system - a minimal
> base with most of the functionality in optional packages (or ports).
> Removing uucp, games and perl are steps in this direction.  I believe
> there should be a very high bar on the import of functionality that
> is already available in ports.

I'm fairly confident that less than 1% of user use anything close to
half the programs in the base system, but we still ship all of them
because they are part of a complete system.  I think that LDAP auth has
moved (or is moving) into the category of things that should be in that
complete system and that we would benefit from tighter integration than
the ports collection can give us.  There are also undoubtedly things in
the base that longer contribute sufficiently to that system.  I think
there's room for more modularity, but I'd prefer not to rip out
everything you could conceivable get from ports.

-- Brooks

Received on Fri Aug 25 2006 - 20:52:14 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:59 UTC