Re: Importing OpenLDAP into base

["matthew sporleder" <msporleder%gmail.com@localhost>]

On Wed, Apr 23, 2008 at 9:10 AM, Luke Mewburn <lukem%netbsd.org@localhost> 
wrote:
> I'd like to propose that we import OpenLDAP into NetBSD.
>
>
>  Benefits:
>
>  * It appears to be most common protocol for distributed
>   user & group authentication across heterogenous systems,
>   including Windows (Active Directory), OS X, Solaris,
>   most Linux distributions.
>   It has replaced NIS for most UNIX systems.
>
>  * Existing tools in the tree can be compiled with LDAP support,
>   and providing an LDAP implementation in the base distribution
>   removes the need to provide a replacement (via pkgsrc) of
>   said tools just to enable LDAP.  These include:
>         - AMD (for the automount maps)
>         - BIND (to store zones in, instead of using files)
>         - Heimdal (to store the krb5 databasee)
>         - Postfix (various address tables)
>         - Racoon
>
>  * OpenLDAP appears to have license suitable for use by TNF code:
>         http://www.openldap.org/software/release/license.html
>
>  * OpenLDAP provides both a library for client applications to
>   use, and a server implementation.
>
>  * Can be used for username/group lookups and authentication
>   via nsswitch nss_ldap.so and PAM pam_ldap.so modules.
>   A common implementation is the LGPL licensed versions
>   from http://www.padl.com/, which may or may not be suitable.
>   A proof of concept BSD-licensed nss_ldap has been
>   written by Tyler Retzlaff <rtr> for NetBSD.
>
>
>  Costs:
>
>  * Base gets a bit bigger.
>
>  * LDAP isn't as lightweight as advertised.
>
>
>  Proposed plan:
>
>  * Import openldap 2.4.8 ("OpenLDAP release") into src/dist/openldap
>
>  * Provide reachover Makefiles in the appropriate sections of the tree
>   for the client libraries and the servers.
>   There's a project at:
>         http://www.netbsd.org/contrib/projects.html#ldapimport
>   for this.  I don't think that the effort would take two weeks.
>
>  * Enable LDAP in the various tools that can use it.
>
>  * Consider providing defaults that use LDAP over SSL.
>
>  * Evaluate & import Tyler Retzlaff's nss_ldap implementation
>   (for at least passwd and group databases).
>
>  * Write (or commission) a pam_ldap implementation.
>
>
>
>
>  Opinions ?
>


I think this is a really good idea!  What parts of openldap are you
planning on building?

I would propose that netbsd only provide the clients and libraries.

Supporting the server is daunting since openldap releases -often- and
needs a modern (from oracle) version of bdb to work as a real server.
(back-ldif didn't work as a real databsae when I tried it a few months
ago and back-passwd is claimed as demonstration-only -- see
slapd.backends(5) )