tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: RFC: Going the LDAP/Kerberos way with NetBSD.

Matthias Scheler skrev:

On 29 Apr 2008, at 16:16, Anders Magnusson wrote:
Let the {s}pwd.db stuff die ...

I don't think that is a good idea, see below.
Note that {s}pwd.db has nothing to do with yp.

and retire ypserv.

YP is old but widely supported. There are networks which consists of a large number of different operating system including old versions. NIS is often enough the only common standard for sharing users and groups in such a network. NetBSD should continue to support NIS.
Yep, it should, therefore I wrote nothing on removing ypbind :-)
For ypserv, there are two things:
- Move the old ypserv goo to pkgsrc.
- Provide yp compat for ldap. Simple and clean, and especially good in a migrating environment.

I however agree that it is time to offer an alternative.

So, I went the other way and wrote a small LDAP server implementation, just to see how simple it can be if all bells and whistles are removed. And my prototype is small :-)

Which files or local database can it replace? I use an OpenLDAP server under NetBSD at home and besides users and groups it also provides automounter maps for my Mac OS X machine.
All databases, just as OpenLDAP. That is just the database contents.

- Deliver NetBSD with my small LDAP server, which can be a daemon that always runs on the machine.
Let pwd_mkdb et al write the stuff directly into the LDAP database.

While I would like having a simple LDAP server I don't like this approach. There are people which run NetBSD systems e.g. firewalls with only a single getty process running. And that should
still be possible.
Of course, that's one of my points (even though it may not have been so clear). If the ldap server is not started things will just read the old files as always. But if it is started the benefits of of using it will become available directly.

-- Ragge

Using files works very well and efficient on machines with only a few users. The security problems (e.g. that "/usr/bin/passwd") are well understood. Running an OpenLDAP server
should never be an requirement.

    Kind regards

Home | Main Index | Thread Index | Old Index