tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

RFC: Going the LDAP/Kerberos way with NetBSD.

After Luke's mail on integrating OpenLDAP, I think it may be a good time to re-think how NetBSD works in both stand-alone and small network environment. I have some ideas here, please comment on them
for things I have missed :-)

- NetBSD has a few databases in /etc used in a standalone environment, but most stuff are in text files. For small networks, there is YP which provides a rudimentary directory service. YP today starts to be quite outdated; not especially secure and do not necessarily have the capabilities wanted.
 Also, there are fewer and fewer other sites using it.

Wanted environment:
- A default installation that can work as a good standalone machine.
From this position it should be simple to make it server for a few machines, to join it to an environment
 of other NetBSD machines or machines with other OSes.

- NetBSD should have an infrastructure primary based on LDAP for directory services and Kerberos for authentication, which is used in all environments as feasible. Let the {s}pwd.db stuff die and
 retire ypserv., that sounds good, but how?

Setting up OpenLDAP is a quite complex task, it requires understanding of how LDAP works, how the security policies should be, config of backends, certificates etc. Even though it may be possible to setup a reasonable default configuration, I doubt it is good to require people trying/using NetBSD
to have to deal with it. LDAP is not as "lightweight" as required for this.

So, I went the other way and wrote a small LDAP server implementation, just to see how simple it can be if all bells and whistles are removed. And my prototype is small :-) To summary up (so that the mail do not get too long and people do not care to read it), I think
something like this:

- Deliver NetBSD with my small LDAP server, which can be a daemon that always runs on the machine. Let pwd_mkdb et al write the stuff directly into the LDAP database. (I assume that passwd can generate the Kerberos encryption keys as well, for eventual future kdc use?) Have a command similar to ypmake that put groups etc. in the LDAP directory as well. This is the default config for a newly-installed machine.

- If the machine is supposed to be used as a server in a small network, just run e.g. ypinit -s, which asks questions about Kerberos realm, populates LDAP with the required KDC keys and starts the KDC.

- If it is supposed to be a client in a NetBSD network, just run like ypinit -c <servername> which will fetch the config out of the LDAP and generate host keys for the target machine. Quite simple :-)

And, if someone wants to use more fancy features in an LDAP server, install OpenLDAP or iPlanet.
It should be trivial to just switch over.

Now, after a much too long mail, comments please? :-)

-- Ragge

Home | Main Index | Thread Index | Old Index