tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: RFC: Going the LDAP/Kerberos way with NetBSD.

On Tue, Apr 29, 2008 at 05:16:55PM +0200, Anders Magnusson wrote:
> After Luke's mail on integrating OpenLDAP, I think it may be a good time 
> to re-think how NetBSD works
> in both stand-alone and small network environment. I have some ideas 
> here, please comment on them
> for things I have missed :-)
> Today:
> - NetBSD has a few databases in /etc used in a standalone environment, 
> but most stuff are in text files.
>  For small networks, there is YP which provides a rudimentary directory 
> service.  YP today starts
>  to be quite outdated; not especially secure and do not necessarily 
> have the capabilities wanted.
>  Also, there are fewer and fewer other sites using it.
> Wanted environment:
> - A default installation that can work as a good standalone machine.
>  From this position it should be simple to make it server for a few 
> machines, to join it to an environment
>  of other NetBSD machines or machines with other OSes.
> Idea:
> - NetBSD should have an infrastructure primary based on LDAP for 
> directory services and Kerberos
>  for authentication, which is used in all environments as feasible.  
> Let the {s}pwd.db stuff die and
>  retire ypserv.
>, that sounds good, but how?
> Setting up OpenLDAP is a quite complex task, it requires understanding 
> of how LDAP works, how
> the security policies should be, config of backends, certificates etc.  
> Even though it may be possible
> to setup a reasonable default configuration, I doubt it is good to 
> require people trying/using NetBSD
> to have to deal with it. LDAP is not as "lightweight" as required for this.
> So, I went the other way and wrote a small LDAP server implementation, 
> just to see how simple it
> can be if all bells and whistles are removed.  And my prototype is small 
> :-) 
> To summary up (so that the mail do not get too long and people do not 
> care to read it), I think
> something like this:
> - Deliver NetBSD with my small LDAP server, which can be a daemon that 
> always runs on the machine.
>  Let pwd_mkdb et al write the stuff directly into the LDAP database.  
> (I assume that passwd can generate
>  the Kerberos encryption keys as well, for eventual future kdc use?)  
> Have a command similar to ypmake
>  that put groups etc.  in the LDAP directory as well.  This is the 
> default config for a newly-installed machine.
> - If the machine is supposed to be used as a server in a small network, 
> just run e.g. ypinit -s, which asks
>  questions about Kerberos realm, populates LDAP with the required KDC 
> keys and starts the KDC.
> - If it is supposed to be a client in a NetBSD network, just run like 
> ypinit -c <servername> which will
>  fetch the config out of the LDAP and generate host keys for the target 
> machine.  Quite simple :-)
> And, if someone wants to use more fancy features in an LDAP server, 
> install OpenLDAP or iPlanet.
> It should be trivial to just switch over.
> Now, after a much too long mail, comments please? :-)

Ok, I think there really are two parts to your EMail, and we should factor 
them out for discussion.

1) Integrating LDAP into NetBSD to the same level as YP was 15 to 20 years 
ago. This includes scripts to seed an LDAP server from /etc databases and 
also scripts to help bind a client to an LDAP system

2) Including your small ldap server to help with (1).

I think we should talk about them separately since (2) will raise issues 
not raised by (1).

I STRONGLY favor (1)!!! Sounds great!!!

I like (2) as well. I however don't know enough about LDAP to know how 
much of a support concern we're opening ourselves up to.

Take care,


Attachment: pgpWkzevpKLTP.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index