Re: RFC: Going the LDAP/Kerberos way with NetBSD.

[Anders Magnusson <ragge%ludd.ltu.se@localhost>]

James K. Lowden wrote:
> The magical "fall back on flat files if no daemon is running" is a good
> way to build a consensus on a mailing list.  No one gives up anything: the
> flat filers can ignore ldap and the ldapers get their functionality.  I
> see two downsides: twice the complexity (code & documentation) to support
> both ways, and mysterious, possibly unwanted fallback behavior.  
>   
The logic is already there and in use, it's called /etc/nsswitch.conf :-)

> Consider: if your ldap server fails, do you want the flat files to be
> consulted instead?  Will they be up to date and synchronized, or will they
> be some old version, possible the installed default or some early remnant?
>  Will there be some way to ensure/report/test that they're synchronized,
> some warning that they were used in lieu of the ldap server, some way to
> discover which mechanism was used to render a particular result?  
>
> Granted, I have a tin ear for embedded deployments, having never done that
> sort of thing.  Could someone explain why it's a show stopper?  ISTM ldap
> support could be designed to daemonize or not, depending on compile-time
> options.  
>
> Having *one* way to do things is clearly less code than having two ways. 
> Depending on how simple is "simple", Ragge's simple ldap server could be
> easier to set up, use, and maintain than what we have today.  
>   
That's my point.  And there is nothing that prevents applications 
(libraries) to read
directly from the databases; that is one of the nice side-effects with 
it :-)

-- Ragge