RFC: Going the LDAP/Kerberos way with NetBSD.

[Anders Magnusson <ragge%ludd.ltu.se@localhost>]

After Luke's mail on integrating OpenLDAP, I think it may be a good time 
to re-think how NetBSD works
in both stand-alone and small network environment. I have some ideas 
here, please comment on them
for things I have missed :-)

Today:
- NetBSD has a few databases in /etc used in a standalone environment, 
but most stuff are in text files.
 For small networks, there is YP which provides a rudimentary directory 
service.  YP today starts
 to be quite outdated; not especially secure and do not necessarily 
have the capabilities wanted.
 Also, there are fewer and fewer other sites using it.

Wanted environment:
- A default installation that can work as a good standalone machine.
 From this position it should be simple to make it server for a few 
machines, to join it to an environment
 of other NetBSD machines or machines with other OSes.

Idea:
- NetBSD should have an infrastructure primary based on LDAP for 
directory services and Kerberos
 for authentication, which is used in all environments as feasible.  
Let the {s}pwd.db stuff die and
 retire ypserv.

...so, that sounds good, but how?

Setting up OpenLDAP is a quite complex task, it requires understanding 
of how LDAP works, how
the security policies should be, config of backends, certificates etc.  
Even though it may be possible
to setup a reasonable default configuration, I doubt it is good to 
require people trying/using NetBSD
to have to deal with it. LDAP is not as "lightweight" as required for this.

So, I went the other way and wrote a small LDAP server implementation, 
just to see how simple it
can be if all bells and whistles are removed.  And my prototype is small 
:-) 

To summary up (so that the mail do not get too long and people do not 
care to read it), I think
something like this:

- Deliver NetBSD with my small LDAP server, which can be a daemon that 
always runs on the machine.
 Let pwd_mkdb et al write the stuff directly into the LDAP database.  
(I assume that passwd can generate
 the Kerberos encryption keys as well, for eventual future kdc use?)  
Have a command similar to ypmake
 that put groups etc.  in the LDAP directory as well.  This is the 
default config for a newly-installed machine.

- If the machine is supposed to be used as a server in a small network, 
just run e.g. ypinit -s, which asks
 questions about Kerberos realm, populates LDAP with the required KDC 
keys and starts the KDC.

- If it is supposed to be a client in a NetBSD network, just run like 
ypinit -c <servername> which will
 fetch the config out of the LDAP and generate host keys for the target 
machine.  Quite simple :-)

And, if someone wants to use more fancy features in an LDAP server, 
install OpenLDAP or iPlanet.
It should be trivial to just switch over.

Now, after a much too long mail, comments please? :-)

-- Ragge