Re: RFC: Going the LDAP/Kerberos way with NetBSD.

[Matthias Scheler <tron%zhadum.org.uk@localhost>]

On 29 Apr 2008, at 16:16, Anders Magnusson wrote:
> Let the {s}pwd.db stuff die ...

I don't think that is a good idea, see below.

> and retire ypserv.

YP is old but widely supported. There are networks which consists of a  
large number of different
operating system including old versions. NIS is often enough the only  
common standard for
sharing users and groups in such a network. NetBSD should continue to  
support NIS.

I however agree that it is time to offer an alternative.

> So, I went the other way and wrote a small LDAP server  
> implementation, just to see how simple it
> can be if all bells and whistles are removed.  And my prototype is  
> small :-)

Which files or local database can it replace? I use an OpenLDAP server  
under NetBSD at home and
besides users and groups it also provides automounter maps for my Mac  
OS X machine.

>  - Deliver NetBSD with my small LDAP server, which can be a daemon  
> that always runs on the machine.
> Let pwd_mkdb et al write the stuff directly into the LDAP database.

While I would like having a simple LDAP server I don't like this  
approach. There are people which
run NetBSD systems e.g. firewalls with only a single getty process  
running. And that should
still be possible.

Using files works very well and efficient on machines with only a few  
users. The security
problems (e.g. that "/usr/bin/passwd") are well understood. Running an  
OpenLDAP server
should never be an requirement.

        Kind regards

--
Matthias Scheler                           http://zhadum.org.uk/