tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: RFC: Going the LDAP/Kerberos way with NetBSD.

James K. Lowden wrote:
The magical "fall back on flat files if no daemon is running" is a good
way to build a consensus on a mailing list.  No one gives up anything: the
flat filers can ignore ldap and the ldapers get their functionality.  I
see two downsides: twice the complexity (code & documentation) to support
both ways, and mysterious, possibly unwanted fallback behavior.
The logic is already there and in use, it's called /etc/nsswitch.conf :-)

Consider: if your ldap server fails, do you want the flat files to be
consulted instead?  Will they be up to date and synchronized, or will they
be some old version, possible the installed default or some early remnant?
 Will there be some way to ensure/report/test that they're synchronized,
some warning that they were used in lieu of the ldap server, some way to
discover which mechanism was used to render a particular result?
Granted, I have a tin ear for embedded deployments, having never done that
sort of thing.  Could someone explain why it's a show stopper?  ISTM ldap
support could be designed to daemonize or not, depending on compile-time
options. Having *one* way to do things is clearly less code than having two ways. Depending on how simple is "simple", Ragge's simple ldap server could be easier to set up, use, and maintain than what we have today.
That's my point. And there is nothing that prevents applications (libraries) to read directly from the databases; that is one of the nice side-effects with it :-)

-- Ragge

Home | Main Index | Thread Index | Old Index