[ On Monday, January 20, 2003 at 14:22:18 (+0100), Stephane Bortzmeyer wrote: ]
> Subject: Re: Authenticating with LDAP
>
> The problem is more pragmatic. OK, PAM sucks but:
> 
> 1) What do you suggest instead? (If you say "NIS", I will ask why NIS
> is better than LDAP, specially when we talk about security.)

NIS and LDAP are not replacements for PAM.  They are underlying data
access protocols that PAM, or its better replacement, would use.

Personally instead of using PAM I would suggest just extending the
trivially extensible nsswitch stuff that's in NetBSD already.  Adding
LDAP hooks to it should be as easy as copying the existing NIS hooks and
changing the library calls they make to use any existing LDAP access
library.  "make install" (or the equivalent build.sh invocation) and
you're done.  Lots of people (myself included :-) can do this
professionally and provide tested and ready-to-use install media.

There's also the scheme used by BSD/OS.....

> 2) What do you do when the current network uses LDAP and the issue is
> not "What authentication protocol should we use?" but "Will I be able
> to integrate a NetBSD machine into that network or should I reformat
> the hard disk right now? Specially considering that I am the only one
> in the technical team which uses NetBSD."

I know of at least two sites where LDAP has been used without PAM.  One
is a NetBSD site, and the other is a FreeBSD site.  Unfortunately
neither site is terribly interested in posting their patches or even
publicizing their existance, but both agree that it was so easy to do
that any C programmer could do it in very short order.  (I didn't do the
work myself at either site.)

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>