Re: Debian and LDAP?

To: Ian Eure <ieure@sickfuck.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Debian and LDAP?
From: Ben Collins <bcollins@debian.org>
Date: Mon, 9 Oct 2000 23:52:59 -0400
Message-id: <20001009235259.T14539@visi.net>
In-reply-to: <Pine.LNX.4.21.0010091913190.23995-100000@spindle.sickfuck.org>; from ieure@sickfuck.org on Mon, Oct 09, 2000 at 07:57:52PM -0700
References: <20001009221221.Q14539@visi.net> <Pine.LNX.4.21.0010091913190.23995-100000@spindle.sickfuck.org>

On Mon, Oct 09, 2000 at 07:57:52PM -0700, Ian Eure wrote:
> On Mon, 9 Oct 2000, Ben Collins wrote:
> 
> > > 3. there are no tools for creating and maintaining users in an ldap
> > > database. this is the biggest problem, imo. login, passwd, chfn, chsd and
> > > su are all pam-ified, but user{add,del} and group{add,del} aren't.
> > 
> > LDAP is not used soley for authentication. It is, afterall, a Directory
> > Service. This finds hundreds more uses than simple Name Service. You're
> > tagging one feature as the entire reason for having LDAP, which is wrong.
> > 
> i agree that ldap has many uses.
> 
> authentication is the big reason i want to use ldap. i apologize for
> letting my opinion color what i intended to be a technical discussion.
> 
> that aside, i feel that the debian authentication support (not just
> with LDAP) is lacking. there are required packages (passwd) which 
> manipulate /etc/passwd & /etc/group directly, versus using PAM. a bug
> (#61210) was filed against passwd, but there has been no reply from the
> maintainer. this is an upstream bug.

LDAP user/group manipulation does not belong in the shadow passwd/login
packages no more than SMB authentation does. I maintain these packages and
I don't want to bloat one with the other. LDAP authentication tools and
support needs to be an addon or replacement, not all together.

> > Lest the final reason (excuse or whatever), Debian is volunteer. It wont
> > get done if no one is willing or able to do it. I never had time to build
> > up this particular feature. Giving everyone the apps that enabled them to
> > do it was my main goal, and that goal was met (even if it isn't automatic,
> > it is there).
> > 
> if you would appriciate some help, e.g. with packaging the ldap migration
> tools or folding them into the openldapd2 package, i would be willing to
> assist.

Any developer is free to work on things. I can't stop anyone who wants to
from doing this, and the new nss-ldap/pam-ldap maintainer is already
planning this, IIRC.

> i don't completely agree with your security argument, since switched
> networks are getting more and more popular, as well as transport-level
> encryption. but i would like to see the support nonetheless, and let the
> user decide if it's a risk they want to take.

Adding yet another insecure authentication method just to let the user
decide is not smart :) Either way, it doesn't much matter to me at this
point, since OpenLDAP 2 supports SSL (which means *everyone* gets the
beni's, not just the ipsec folks), the issue is moot, and potato wont
chance, so let's move on. As I said, support for tools is planned, just be
patient, or help.

Ben

-- 
 -----------=======-=-======-=========-----------=====------------=-=------
/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'

Reply to:

References:
- Re: Debian and LDAP?
  - From: Ben Collins <bcollins@debian.org>
- Re: Debian and LDAP?
  - From: Ian Eure <ieure@sickfuck.org>

Prev by Date: Re: Debian and LDAP?
Next by Date: Re: [BALLOT] Social Contract Change Amendment
Previous by thread: Re: Debian and LDAP?
Next by thread: Re: Debian and LDAP?
Index(es):
- Date
- Thread