Re: RFC: Going the LDAP/Kerberos way with NetBSD.

["James K. Lowden" <jklowden%schemamania.org@localhost>]

Matthias Scheler wrote:
> > If the ldap server is not started things will just read the old  
> > files as always.
> 
> I'm not sure whether I like that. Such clever hacks tend to backfire  
> badly.

This point deserves consideration.  

The magical "fall back on flat files if no daemon is running" is a good
way to build a consensus on a mailing list.  No one gives up anything: the
flat filers can ignore ldap and the ldapers get their functionality.  I
see two downsides: twice the complexity (code & documentation) to support
both ways, and mysterious, possibly unwanted fallback behavior.  

Consider: if your ldap server fails, do you want the flat files to be
consulted instead?  Will they be up to date and synchronized, or will they
be some old version, possible the installed default or some early remnant?
 Will there be some way to ensure/report/test that they're synchronized,
some warning that they were used in lieu of the ldap server, some way to
discover which mechanism was used to render a particular result?  

Granted, I have a tin ear for embedded deployments, having never done that
sort of thing.  Could someone explain why it's a show stopper?  ISTM ldap
support could be designed to daemonize or not, depending on compile-time
options.  

Having *one* way to do things is clearly less code than having two ways. 
Depending on how simple is "simple", Ragge's simple ldap server could be
easier to set up, use, and maintain than what we have today.  

--jkl