From owner-freebsd-security@FreeBSD.ORG Sat Sep 17 14:15:28 2011 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02762106566B for ; Sat, 17 Sep 2011 14:15:28 +0000 (UTC) (envelope-from zi@FreeBSD.org) Received: from fast.rit.edu (fast.rit.edu [129.21.182.30]) by mx1.freebsd.org (Postfix) with ESMTP id AA7EF8FC16 for ; Sat, 17 Sep 2011 14:15:27 +0000 (UTC) Received: from fast.rit.edu (localhost.rit.edu [127.0.0.1]) by fast.rit.edu (Postfix) with ESMTP id A8FEB1D141; Sat, 17 Sep 2011 09:53:43 -0400 (EDT) X-Virus-Scanned: by amavisd-new at fast.rit.edu Received: from fast.rit.edu ([127.0.0.1]) by fast.rit.edu (fast.rit.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nUypCETkoJ07; Sat, 17 Sep 2011 09:53:43 -0400 (EDT) Received: from syn.rit.edu (syn.rit.edu [129.21.182.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by fast.rit.edu (Postfix) with ESMTPS id ED71A1D138; Sat, 17 Sep 2011 09:53:42 -0400 (EDT) Received: from syn.rit.edu (localhost.rit.edu [127.0.0.1]) by syn.rit.edu (8.14.4/8.14.3) with ESMTP id p8HDrg7E009964; Sat, 17 Sep 2011 09:53:42 -0400 (EDT) (envelope-from zi@FreeBSD.org) Received: (from zi@localhost) by syn.rit.edu (8.14.4/8.14.3/Submit) id p8HDrgDW008050; Sat, 17 Sep 2011 09:53:42 -0400 (EDT) (envelope-from zi@FreeBSD.org) Date: Sat, 17 Sep 2011 09:53:42 -0400 From: Ryan Steinmetz To: "Hartmann, O." Message-ID: <20110917135341.GA23643@fast.rit.edu> References: <86boukbk8s.fsf@ds4.des.no> <4E73C163.9040601@llnl.gov> <4E7492FE.2090506@zedat.fu-berlin.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4E7492FE.2090506@zedat.fu-berlin.de> User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Sat, 17 Sep 2011 16:38:19 +0000 Cc: freebsd-security@FreeBSD.org, Mike Carlson Subject: Re: PAM modules -> LDAP! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2011 14:15:28 -0000 On (09/17/11 14:30), Hartmann, O. wrote: > On 09/16/11 23:36, Mike Carlson wrote: > > On 09/16/2011 08:05 AM, Dag-Erling Sm??rgrav wrote: > >> We currently have a number of PAM modules in ports, and while some of > >> them are specific to certain third-party software, many aren't. I > >> believe we would benefit from importing at least some of these into > >> base. My question is: which ones? > >> > >> DES > > LDAP support out of the box would be fantastic. > > > > Mike C > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > Also a strong vote for LDAP support. LDAP is our backend for several > server systems and it is a kind of pain > having to think first for the ports to be installed. Also I suspect and > hope a better integration if LDAP gets > part of the core system. > > Regards, > Oliver > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" I think some caution should be used whenever we discuss merging things into the base system. There may be other ways of achieving the same functionality, without the challenges that come with merging things directly into the base system. Ports tend to be easier to update (in terms of version bumps/features additions) when compared to things that become part of base. I think an interesting concept would be something that gave us the ability to (easily) tie certain ports into software from the base system. Something that would allow the software to be more easily kept current. Perhaps this could be done via some sort of base-integrated ports category that require extra-special care/controls when being updated. Using the above idea, perhaps we could have ISOs or the like available that include these 'base-integrated' ports pre-installed, thus giving users the ability to (effectively) have an out-of-the-box solution that included LDAP support, etc., while still having these 'base-integrated' ports loosely coupled with the base OS. The concept could keep the base system lean, but provide the flexibility that users desire. Obviously there are some complexities associated with implementing the framework and details that would need to be worked out, but this could address: -The desire to keep the base system lean -The desire to provide certain features out-of-the-box -The ability to keep these 'base-integrated' ports more current in terms of features/functionality -r -- Ryan Steinmetz PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2