tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Going LDAP #2

So, here's my idea about how the LDAP/Kerberos stuff should be used in
the NetBSD system.  Comments wanted :-)

To configure a system a command called xxinit (naming welcome) is used,
it works similar to ypinit.
        xxinit -m (master)
                - Starts the ldap server and kdc
                - Populates the ldap server with an initial layout
                - Asks about the realm name and initializes the kdc.
                - Sets up whatever else is needed.
        xxinit -c (client)
                - Asks about the master machine and root password for it.
                  This will get the configuration for the domain out
                  of ldap and fetch a machine key.
        xxinit -s (slave)
                - As for client but will also setup a local ldap/kdc

Also, a command xxmake should be added that does the same as ypmake
(which hasn't been a command but well-known anyway). It's used to
update the directory with information from the /etc files on the master.

As I wrote in the initial mail it would be possible to use this
approach also using the openldap server, but that would require a
quite large piece of software to be configured and maintained.
I therefore read some RFC's and wrote an embryo to a simple implementation
just to test it out, and it wasn't especially difficult.

- Only root credentials have the possibility to change something.
- Auth both simple and SASL (GSSAPI).
- Three access levels, placed on attributes only: root, auth and anon.
- Only a few attribute types; directorystring, integermatch etc.
- No OIDs or other similar stuff.

Using a decent ASN.1 compiler (I used asn1c) and the system db
as storage do not require that many lines of code, and if someone
wants more features then they can just setup and configure the openldap
server (and do an ldif dump to move the contents).

-- Ragge

Home | Main Index | Thread Index | Old Index