Subject: Re: Authenticating with LDAP
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: netbsd-users
Date: 01/21/2003 11:53:51
On Jun 12, 8:58am, Stephane Bortzmeyer wrote:
} On Wed, Jan 15, 2003 at 12:37:41PM -0500,
} Greg A. Woods <woods@weird.com> wrote a message of 21 lines which said:
}
} > Read the many various related threads on various netbsd mailing lists.
}
} The one you gave me:
}
} http://mail-index.netbsd.org/netbsd-advocacy/2001/09/30/0001.html
}
} is very interesting, technically speaking, but it boils down to "PAM
Actually, it isn't interesting at all. It says, "Because PAM is
incapable of interacting with the user...". That statement is
completely bogus and indicates that the author has never worked with
PAM or read the API docs. He should therefore be dismissed out of
hand. A big problem with the PAM discussions is that there have been a
bunch of people who don't have a clue about PAM spouting off about
imaginary bogeymen. This makes it difficult to separate the wheat from
the chaff.
} is not perfect, one day, I will do something better".
PAM probably isn't perfect since nothing is. However, it doesn't
have the flaws that he says it does. As for his "something better", it
sounds like it would be inflexible. Personally, I believe that
anything that requires recompilation (or even just relinking) is a
non-starter.
} > Plainly put PAM is utterly useless and unnecessary for NetBSD.
Only a nutcase would make a statement like this. Most people that
have been here for any length of time have learned to just ignore
Greg. He contends that since you have the source, you can just modify
it and recompile the entire system (as well as any third party apps
that need to do authentication). This is obviously not realistic.
Greg lives in some kind of fanatasy world that nobody can figure out.
Greg, don't bother replying, or flaming me again, since I will
just bit bucket your mail. You have demonstrated both here and on
spamtools, the CVS mailing list, etc. that you are completely
inflexible so there is no point in discussing anything with you.
} The problem is more pragmatic. OK, PAM sucks but:
}
} 1) What do you suggest instead? (If you say "NIS", I will ask why NIS
} is better than LDAP, specially when we talk about security.)
These are different things. NIS and LDAP are authentication
methods. PAM is middleware that goes between applications wishing to
do authentication and authentication methods. Think of it as a smart
crossbar switch. It basically determines which applications use which
authentication methods and allows the choices to be changed dynamically
without changing any code.
} 2) What do you do when the current network uses LDAP and the issue is
} not "What authentication protocol should we use?" but "Will I be able
} to integrate a NetBSD machine into that network or should I reformat
} the hard disk right now? Specially considering that I am the only one
} in the technical team which uses NetBSD."
At the moment you need to hack it in yourself and rebuild the
system. This is obviously suboptimal and must change at some point in
time. The other alternative if this is going to be a personal machine
is to go without LDAP if possible.
}-- End of excerpt from Stephane Bortzmeyer