I'd like to propose that we import OpenLDAP into NetBSD.
Benefits:
* It appears to be most common protocol for distributed
user & group authentication across heterogenous systems,
including Windows (Active Directory), OS X, Solaris,
most Linux distributions.
It has replaced NIS for most UNIX systems.
* Existing tools in the tree can be compiled with LDAP support,
and providing an LDAP implementation in the base distribution
removes the need to provide a replacement (via pkgsrc) of
said tools just to enable LDAP. These include:
- AMD (for the automount maps)
- BIND (to store zones in, instead of using files)
- Heimdal (to store the krb5 databasee)
- Postfix (various address tables)
- Racoon
* OpenLDAP appears to have license suitable for use by TNF code:
http://www.openldap.org/software/release/license.html
* OpenLDAP provides both a library for client applications to
use, and a server implementation.
* Can be used for username/group lookups and authentication
via nsswitch nss_ldap.so and PAM pam_ldap.so modules.
A common implementation is the LGPL licensed versions
from http://www.padl.com/, which may or may not be suitable.
A proof of concept BSD-licensed nss_ldap has been
written by Tyler Retzlaff <rtr> for NetBSD.
Costs:
* Base gets a bit bigger.
* LDAP isn't as lightweight as advertised.
Proposed plan:
* Import openldap 2.4.8 ("OpenLDAP release") into src/dist/openldap
* Provide reachover Makefiles in the appropriate sections of the tree
for the client libraries and the servers.
There's a project at:
http://www.netbsd.org/contrib/projects.html#ldapimport
for this. I don't think that the effort would take two weeks.
* Enable LDAP in the various tools that can use it.
* Consider providing defaults that use LDAP over SSL.
* Evaluate & import Tyler Retzlaff's nss_ldap implementation
(for at least passwd and group databases).
* Write (or commission) a pam_ldap implementation.
Opinions ?
cheers,
Luke.
Attachment:
pgpaLIZP_RYlA.pgp
Description: PGP signature