[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian and LDAP?

> 2. not really a debian problem, but: ldap migration tools (from
> http://www.padl.com/tools.html) try to create "ou=People,cn=...", which is
> already created once openldapd is configured. adding `-c' to the call to
> ldapadd in `migrate_all_online.sh' fixes this.

Exactly, not a Debian problem.

> 3. there are no tools for creating and maintaining users in an ldap
> database. this is the biggest problem, imo. login, passwd, chfn, chsd and
> su are all pam-ified, but user{add,del} and group{add,del} aren't.

LDAP is not used soley for authentication. It is, afterall, a Directory
Service. This finds hundreds more uses than simple Name Service. You're
tagging one feature as the entire reason for having LDAP, which is wrong.

> are there any plans to have better support for ldap in woody? it would be
> extremely nice to have ldap authentication as an installation option, and
> have openldapd automagically migrate all the users, groups, etc when it
> installs.

Of course, I maintain the server and libraries. I've turned over all the
applications (nss-ldap, pam-ldap tcl-ldap, etc...) to someone else, who
has more time to mature the support.

Lest the final reason (excuse or whatever), Debian is volunteer. It wont
get done if no one is willing or able to do it. I never had time to build
up this particular feature. Giving everyone the apps that enabled them to
do it was my main goal, and that goal was met (even if it isn't automatic,
it is there).

Secondly, I really feel that the openldap1 in potato (and redhat for that
matter) is not a good replacement for an authentication scheme. For one,
it lacks a secure protocol (SSL in this case), which is a lack in
openldap, not really Debian or RedHat. This makes it no more secure or
better than NIS, which means it is really bad. OpenLDAP 2, however, does
have this capability via SASL. It was just released in a somewhat stable
tarball just recently. It is in woody.

My point being that I did not feel that OpenLDAP 1 was suitable for
touting or completing a broken feature (insecure one), so I did not put
priority on it. Now that OpenLDAP 2 is in woody...


/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '

Reply to: