Date: Sat, 17 Sep 2011 13:55:38 -0700 From: Xin LI <delphij@delphij.net> To: freebsd-security@freebsd.org Cc: Chao Shin <quakelee@geekcn.org> Subject: Re: PAM modules -> LDAP! Message-ID: <4E75094A.8040902@delphij.net> In-Reply-To: <20110917135341.GA23643@fast.rit.edu> References: <86boukbk8s.fsf@ds4.des.no> <4E73C163.9040601@llnl.gov> <4E7492FE.2090506@zedat.fu-berlin.de> <20110917135341.GA23643@fast.rit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/17/11 06:53, Ryan Steinmetz wrote: [...] > I think some caution should be used whenever we discuss merging > things into the base system. There may be other ways of achieving > the same functionality, without the challenges that come with > merging things directly into the base system. Ports tend to be > easier to update (in terms of version bumps/features additions) > when compared to things that become part of base. > > I think an interesting concept would be something that gave us the > ability to (easily) tie certain ports into software from the base > system. Something that would allow the software to be more easily > kept current. Perhaps this could be done via some sort of > base-integrated ports category that require extra-special > care/controls when being updated. > > Using the above idea, perhaps we could have ISOs or the like > available that include these 'base-integrated' ports pre-installed, > thus giving users the ability to (effectively) have an > out-of-the-box solution that included LDAP support, etc., while > still having these 'base-integrated' ports loosely coupled with the > base OS. The concept could keep the base system lean, but provide > the flexibility that users desire. > > Obviously there are some complexities associated with implementing > the framework and details that would need to be worked out, but > this could address: -The desire to keep the base system lean -The > desire to provide certain features out-of-the-box -The ability to > keep these 'base-integrated' ports more current in terms of > features/functionality I've put a preliminary patchset at: http://people.freebsd.org/~delphij/misc/freebsd8.2-ldap.diff.xz For interested parties. That work was done to meet quakelee@'s company's needs (mostly done by him, I helped him with some minor things with my weekends) and the patch might needs some cleanup work (I've stripped down the unrelated part like bringing rsync, sudo to their base system but it's well possible rthat I've missed something or haven't removed some junk in this patchset -- ask me and/or quakelee@ if that's the case, their patched system works fine and I have everything in our git so let me know if that works). Speaking for having or not this by default for FreeBSD: It's not hard for us to make a customized distribution, and the patchset allows one to build a LDAP-free system, we have stripped down OpenLDAP to only do client side and the symbols have been renamed to avoid conflicts with port OpenLDAP. Personally I don't consider an Operating System that have no built-in LDAP support as a complete one and consider this: what happens when OpenLDAP's shared library version bumped (this is not rare) and your LDAP-linked sshd, pam models would do? "base-integrated" port -- I wouldn't object if that would ever happen but I bet it's a much bigger one than LDAP integration :) It may take me a day or two days to get our patchset cleaned up and updated to - -HEAD and latest OpenLDAP -stable and universe it, plus test on amd64, but implementing a shiny new framework is not something we (I and quakelee@) could do. Cheers, - -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJOdQlKAAoJEATO+BI/yjfB1YgIAJE4l+KOsTg+BPtWe3lJhLfF bTk7HlpeZOpTgTYFJ93E0+kIls4+iZN6LfwNaiDGEQXMA6Ot7utf2oa87uK+dSxv 9mjj/cUgkYOaN2wTOs15H2bTKbq/Fyh0eD2ewZ0cu9U9S+6earPK/n/VseQYa9M7 aXcOdcrVqKpTMb7+JiEDjiAzGYKgnwldoTFEnKaVoKay032gWPP5RJ1rMiZa8HXu p/1QrMgpumg8rS0Tk1qlpSljAOqG3T5/iEXgcIYvi6APbp/Wy9KGvLO68/xJodaf gxLKZ1Hx4xE+4vIou/5jV9XqP2XcIueH1WJFdyDx5tDEyGrpP3NIs2lObupQ36M= =oorR -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E75094A.8040902>