tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: RFC: Going the LDAP/Kerberos way with NetBSD.

David Holland skrev:
On Tue, Apr 29, 2008 at 05:16:55PM +0200, Anders Magnusson wrote:
- NetBSD should have an infrastructure primary based on LDAP for directory services and Kerberos for authentication, which is used in all environments as feasible. Let the {s}pwd.db stuff die and
 retire ypserv., that sounds good, but how?

That does not sound good. We already have nsswitch.conf and it works
nicely. (There are ways it could be strengthened, maybe, too.)
I don't see that abandoning it in favor of only LDAP is a step
There has not been any suggestion at all to drop neither files nor nsswitch.
Countrary, they play a significant role in NetBSD. The only things in the "drop case" are: - {s}pwd.db. Should not be needed at all anymore. Actually, I think that using just the files when <50 entries in the passwd file would be faster than doing a
  db lookup.   Haven't tested though, but would be quick to do.
The point here is that if there are more than 50 users on the system you probably
  want a directory server on your machine.
-  ypserv.  Run yp compatibility stuff against an ldap backend instead.

Or maybe you mean to keep it and only replace the existing "files"
implementation with one that is integrated with LDAP? That doesn't
seem like a step forward either - it adds a great deal of complexity
to the basic files-only setup for effectively no benefit.

*Adding* LDAP support seems like a fine idea, but please keep in mind
that not everyone wants to use it.

(Also, as I've suggested before, the best way to handle small networks
is to add an "auxfiles" or similar target to nsswitch.conf that reads
from, say, /etc/aux, which you can then rsync around or manage with
git or whatever you like without inferfering with the rest of /etc.
IMHO that's not closely as simple as (today's) yp. And that is want I want us to have
a replacement for.

-- Ragge

Home | Main Index | Thread Index | Old Index