[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Alternatives to LDAP



David Wright wrote:
> >It is a chore to administer.
> 
> One four-line text file per app is "hard to administer"?

wc -l /etc/pam.conf
    107 /etc/pam.conf

Also look at /etc/pam.d

> PAM modules are loaded dynamically. Most are less than 10 KB big. No 
> processes are spawned to use them; PAM runs in-proc.

This is not the only requirement to reduce load. This is all speculation
anyway. Profiling needs to be done. For example, pam_ldap.so on RH 6.2 is 
about 50 kb in size. AFAIK this is linked to shared libraries.
The actual amount of RAM it uses is in megabytes. Link it statically,
and you'll see the actual size.

> >Its convoluted design is hard to even understand for most people.
> >The documentation for it is lacking.

If you agree with me on this, then what is there to discuss? Flawed
design is bad enough.

> What hashes pam_ldap supports directly depends entirely on what crypto 
> library you use to build it.

Wrong. pam_ldap ships with MD5 support. Just checked yesterday. It did
not when I tried to use it a year ago.

> But if you set OpenLDAP ACLs so that 
> pam_ldap can't read userPassword, pam_ldap doesn't need to support any 
> hashes at all; it just authenticates against the OpenLDAP server.

This is ridiculous, we have a commercial (from a company which rhymes
with Crisco) RADIUS server which only supports this type of 
LDAP authentication, and it forced us to create an LDAP entry
per service per user. We are now spending a lot of effort
converting the directory layout. (and eventually dumping this RADIUS
server). Don't do it to yourself (we didn't have a choice).

> >The real problem is the lack of libraries for Unix-from-LDAP
> >authentication. That said, anyone want to write gepw* for LDAP?
> 
> I assume you mean the getpw... APIs (with a "t"). This has been done 
> long ago; it's called nss_ldap.

But it depends on PAM. I would rather use versions of login,
chsh, passwd, etc which read environment variables which were previously
set by a process which runs these utilities. This would have been a much
better, simpler, easy to debug and configure system.