From owner-freebsd-security@FreeBSD.ORG Sat Sep 17 20:55:39 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7613D106564A for ; Sat, 17 Sep 2011 20:55:39 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 5A1368FC0C for ; Sat, 17 Sep 2011 20:55:39 +0000 (UTC) Received: from delta.delphij.net (c-76-102-50-245.hsd1.ca.comcast.net [76.102.50.245]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 1C8DB143CD; Sat, 17 Sep 2011 13:55:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1316292939; bh=JDw6H7vXJMpVbQ8RwwLSbUHzDtIcO/Xe5BpHMLa0tFY=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=Y97Bgp2nBaCWT0aYblTr1fIFQlyA6oMOGMA7bAaRe51Bx5K4Soyi+bJX9bpul/oPd 6A/zJCZ67V/R1U6conrqq8YJaHZdgQQlhOQ0vD8jq9retElBltFRNuwmZrPXzaMGuj k1asbSxyt14b0Icy5YWuKea+fSHH3OdNpOYsnvBs= Message-ID: <4E75094A.8040902@delphij.net> Date: Sat, 17 Sep 2011 13:55:38 -0700 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <86boukbk8s.fsf@ds4.des.no> <4E73C163.9040601@llnl.gov> <4E7492FE.2090506@zedat.fu-berlin.de> <20110917135341.GA23643@fast.rit.edu> In-Reply-To: <20110917135341.GA23643@fast.rit.edu> OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Chao Shin Subject: Re: PAM modules -> LDAP! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2011 20:55:39 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/17/11 06:53, Ryan Steinmetz wrote: [...] > I think some caution should be used whenever we discuss merging > things into the base system. There may be other ways of achieving > the same functionality, without the challenges that come with > merging things directly into the base system. Ports tend to be > easier to update (in terms of version bumps/features additions) > when compared to things that become part of base. > > I think an interesting concept would be something that gave us the > ability to (easily) tie certain ports into software from the base > system. Something that would allow the software to be more easily > kept current. Perhaps this could be done via some sort of > base-integrated ports category that require extra-special > care/controls when being updated. > > Using the above idea, perhaps we could have ISOs or the like > available that include these 'base-integrated' ports pre-installed, > thus giving users the ability to (effectively) have an > out-of-the-box solution that included LDAP support, etc., while > still having these 'base-integrated' ports loosely coupled with the > base OS. The concept could keep the base system lean, but provide > the flexibility that users desire. > > Obviously there are some complexities associated with implementing > the framework and details that would need to be worked out, but > this could address: -The desire to keep the base system lean -The > desire to provide certain features out-of-the-box -The ability to > keep these 'base-integrated' ports more current in terms of > features/functionality I've put a preliminary patchset at: http://people.freebsd.org/~delphij/misc/freebsd8.2-ldap.diff.xz For interested parties. That work was done to meet quakelee@'s company's needs (mostly done by him, I helped him with some minor things with my weekends) and the patch might needs some cleanup work (I've stripped down the unrelated part like bringing rsync, sudo to their base system but it's well possible rthat I've missed something or haven't removed some junk in this patchset -- ask me and/or quakelee@ if that's the case, their patched system works fine and I have everything in our git so let me know if that works). Speaking for having or not this by default for FreeBSD: It's not hard for us to make a customized distribution, and the patchset allows one to build a LDAP-free system, we have stripped down OpenLDAP to only do client side and the symbols have been renamed to avoid conflicts with port OpenLDAP. Personally I don't consider an Operating System that have no built-in LDAP support as a complete one and consider this: what happens when OpenLDAP's shared library version bumped (this is not rare) and your LDAP-linked sshd, pam models would do? "base-integrated" port -- I wouldn't object if that would ever happen but I bet it's a much bigger one than LDAP integration :) It may take me a day or two days to get our patchset cleaned up and updated to - -HEAD and latest OpenLDAP -stable and universe it, plus test on amd64, but implementing a shiny new framework is not something we (I and quakelee@) could do. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJOdQlKAAoJEATO+BI/yjfB1YgIAJE4l+KOsTg+BPtWe3lJhLfF bTk7HlpeZOpTgTYFJ93E0+kIls4+iZN6LfwNaiDGEQXMA6Ot7utf2oa87uK+dSxv 9mjj/cUgkYOaN2wTOs15H2bTKbq/Fyh0eD2ewZ0cu9U9S+6earPK/n/VseQYa9M7 aXcOdcrVqKpTMb7+JiEDjiAzGYKgnwldoTFEnKaVoKay032gWPP5RJ1rMiZa8HXu p/1QrMgpumg8rS0Tk1qlpSljAOqG3T5/iEXgcIYvi6APbp/Wy9KGvLO68/xJodaf gxLKZ1Hx4xE+4vIou/5jV9XqP2XcIueH1WJFdyDx5tDEyGrpP3NIs2lObupQ36M= =oorR -----END PGP SIGNATURE-----