tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: RFC: Going the LDAP/Kerberos way with NetBSD.
Matthias Scheler skrev:
On 29 Apr 2008, at 16:16, Anders Magnusson wrote:
Let the {s}pwd.db stuff die ...
I don't think that is a good idea, see below.
Note that {s}pwd.db has nothing to do with yp.
and retire ypserv.
YP is old but widely supported. There are networks which consists of a
large number of different
operating system including old versions. NIS is often enough the only
common standard for
sharing users and groups in such a network. NetBSD should continue to
support NIS.
Yep, it should, therefore I wrote nothing on removing ypbind :-)
For ypserv, there are two things:
- Move the old ypserv goo to pkgsrc.
- Provide yp compat for ldap. Simple and clean, and especially good in
a migrating environment.
I however agree that it is time to offer an alternative.
So, I went the other way and wrote a small LDAP server
implementation, just to see how simple it
can be if all bells and whistles are removed. And my prototype is
small :-)
Which files or local database can it replace? I use an OpenLDAP server
under NetBSD at home and
besides users and groups it also provides automounter maps for my Mac
OS X machine.
All databases, just as OpenLDAP. That is just the database contents.
- Deliver NetBSD with my small LDAP server, which can be a daemon
that always runs on the machine.
Let pwd_mkdb et al write the stuff directly into the LDAP database.
While I would like having a simple LDAP server I don't like this
approach. There are people which
run NetBSD systems e.g. firewalls with only a single getty process
running. And that should
still be possible.
Of course, that's one of my points (even though it may not have been so
clear).
If the ldap server is not started things will just read the old files as
always.
But if it is started the benefits of of using it will become available
directly.
-- Ragge
Using files works very well and efficient on machines with only a few
users. The security
problems (e.g. that "/usr/bin/passwd") are well understood. Running an
OpenLDAP server
should never be an requirement.
Kind regards
Home |
Main Index |
Thread Index |
Old Index