tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: RFC: Going the LDAP/Kerberos way with NetBSD.




On 29 Apr 2008, at 16:16, Anders Magnusson wrote:
Let the {s}pwd.db stuff die ...

I don't think that is a good idea, see below.

and retire ypserv.

YP is old but widely supported. There are networks which consists of a large number of different operating system including old versions. NIS is often enough the only common standard for sharing users and groups in such a network. NetBSD should continue to support NIS.

I however agree that it is time to offer an alternative.

So, I went the other way and wrote a small LDAP server implementation, just to see how simple it can be if all bells and whistles are removed. And my prototype is small :-)

Which files or local database can it replace? I use an OpenLDAP server under NetBSD at home and besides users and groups it also provides automounter maps for my Mac OS X machine.

- Deliver NetBSD with my small LDAP server, which can be a daemon that always runs on the machine.
Let pwd_mkdb et al write the stuff directly into the LDAP database.

While I would like having a simple LDAP server I don't like this approach. There are people which run NetBSD systems e.g. firewalls with only a single getty process running. And that should
still be possible.

Using files works very well and efficient on machines with only a few users. The security problems (e.g. that "/usr/bin/passwd") are well understood. Running an OpenLDAP server
should never be an requirement.

        Kind regards

--
Matthias Scheler                           http://zhadum.org.uk/




Home | Main Index | Thread Index | Old Index