Re: the state of ldap on netbsd

["matthew sporleder" <msporleder%gmail.com@localhost>]

On 2/12/08, Brad Spencer <brad%anduin.eldar.org@localhost> wrote:
>
> I am working on a YP to LDAP conversion here and have messed with a lot of
> this recently.
>
>    matthew sporleder wrote:
>    > I was wondering why netbsd doesn't come with a native pam/nss-ldap.
>    > (licensing?  no one has made the effort?  NIH?)
>    >
>    >
>
>    I guess the version in pkgsrc has been sufficent ... though from memory
>    it was a little cumbersome to setup and test.
>
> It isn't too bad.
>
> There are a couple of limits with nss-ldap, however.  There does not exist
> support in our libc to glue just everything that is available via YP maps
> into the dynamically loadable stuff that nsswitch dispatch now provides.
> The end result is that not every map that is available via 'nis' will be
> available via ldap, even when the nss-ldap module supports it.  The other
> limit I found was that the NetBSD glue code that is provided in pkgsrc for
> nss-ldap does not support all of the loadable dispatches that libc
> provides.  If I remember, it only provides for 'passwd' and 'group'.  I
> added support for 'networks' locally, but have not had time to file a PR.
> I would like to add support for 'hosts', but have not had time to do that
> either...
>
> [snip]
>
> The worst part of the entire conversion, I think, was getting the pam
> ordering right so that KRB5 and ldap can both be consulted for
> authentication without whining too much.
>

I suppose this is because nis is built-in.  I think there are some
comments around mentioning how there should be additional databases
and more flexibility in nss.