Subject: Re: PAM
To: Dan Melomedman <dan%dan.dan@devonit.com>
From: Greg A. Woods <woods@weird.com>
List: current-users
Date: 09/26/2002 15:38:33
[ On Thursday, September 26, 2002 at 12:52:36 (-0400), Dan Melomedman wrote: ]
> Subject: Re: PAM
>
> Greg A. Woods wrote:
> > > What do I do for LDAP authentication? Link LDAP libraries
> > > into libc?
> >
> > Yes, exactly, and call them via wrappers using the nsdispatch callbacks.
>
> But this is a place where dynamic linking actually makes lots of sense.
Huh? No, not really. There is absolutely zero benefit to such dynamic
loading of object modules in any open source system, certainly not for
A&A purposes. There can be many drawbacks and problems, some very
serious on several fronts. Indeed the dynamic loading of the module
doesn't even get you away from possibly having to have a separate daemon
or exec'ed program to allow you to achieve separation of privileges
anyway. Dynamic loading of A&A modules is really only necessary in
proprietary systems where the system vendor wishes to provide a means
for third-party developers of proprietary A&A mechanisms to hook in and
where the risks of using dynamic loading are outweighed by the perceived
ease of supporting such a framework.
> I don't want to be bothered with Linking LDAP into C library - many
> would agree also.
I certainly do want to be so bothered for production envrionments!
When playing around with code, perhaps testing and experimenting with
different schemes, I don't care so much how that code gets loaded to be
run. However in production environments I want to have one heck of a
lot more control over performance and security issues. I will not be
locked into requiring everything to be dynamically loaded! :-)
Indeed you don't have to be "bothered" with doing the linking if someone
else has already done it for you either. That's where open source
really starts to shine -- anyone can make use of the services of any
sufficiently talented person to do such things, even in an efficient and
centrally shared manner. For example you could become an LDAP expert
and you could supply LDAP enabled binaries under any number of schemes,
some of which could possibly earn you a decent living.
I know of several relativley unsophisticated non-programmer users who
regularly upgrade each and every FreeBSD machine they have by simply
running "cvsup && make World" (after being taught by someone who is a
competent enough programmer). I.e. they re-compile and relink the
source on _every_ machine, _every_ time. It's probably less difficult
for them to track the release branch than it is for any NetBSD user to
do regular upgrades via sysinst. It's certainly more timely and
flexible. Those people certainly wouldn't have major problems doing
local integration of static-linked LDAP support if the APIs and build
framework were provided for them.
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>