Re: FreeBSD nss, getgroupmembership(3)

From: Frode Nordahl <frode_at_nordahl.net>
Date: Mon, 17 Jul 2006 13:58:58 +0200
On 28. mai. 2006, at 19.32, Matthijs Kooijman wrote:

> I've been playing around with this issue myself as well. I want to  
> support
> nested groups through winbind, which is supported through
> winbind_getgrouplist, but not through getgrent...

Great to see some more interest in it! :-)

I am about to go live with a system with a significant number of  
users ( > 1 million), and have just disabled group lookups for now.

>> By coincidence I found that NetBSD has created the infrastructure
>> needed to make this a reallity allready! In NetBSD getgrouplist(3) is
>> now a front-end for getgroupmembership(3).
> I just found this one too. I'm not sure how widespread the  
> implementation of
> getgroupmembership is, though. I know nss_winbind does not  
> implement it, but
> does implement initgroups_dyn. From your post I think nss_ldap does  
> this also.

Most NSS modules come from Linux / GLIBC, and thus match their  
implementations. Since this does not exist in FreeBSD yet, I would  
first look to the other BSDs and try to match their implementation.

Since FreeBSD's nss comes from NetBSD I think it is pretty obvious  
that we want to import new features from them, and not from GNU  
Libc. :-)

However, NSS is a large beast reaching into many central parts of  
libc, and great care must be taken to not break anything when  
importing new code.

Last I looked it seemed like NetBSD's NSS code had moved along quit a  
bit, and I don't know if it is common practice to backport specific  
functionality, or to just do a new import?

>> Is there any chance for FreeBSD to get an updated import of NSS from
>> NetBSD anytime soon? :-)
> Due to the (possibly) limited support of getgroupmembership in nss  
> backends,
> it might be better to use initgroups_dyn instead?

No, I would rather let BSD NSS be BSD NSS and implement a compability  
layer for initgroups_dyn :-)

See /usr/src/lib/libc/net/nss_compat.c and bsdnss.c in nectar's  
nss_ldap port.

> Anyway, I've spent some words on this issue on my blog [1], if anyones
> interested. I'm planning on trying to make this work on FreeBSD  
> sometime soon.
> But, since I only have FreeBSD 6.0 machines to play around with  
> (possibly 6.1
> soon), I will probably code up a patch for 6.0. Have there been big  
> changes to
> nss since then that might make this a useless idea?

New code should generally be patches againts -CURRENT, but I don't  
think this is a part of the source tree that is changed very often.

I would at least have a look at the files you plan on changing from - 
CURRENT so you can know that the world as you know it is not about to  
be changed / replaced :)

Frode Nordahl
frode_at_nordahl.net
Received on Mon Jul 17 2006 - 09:58:57 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:58 UTC