[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Brief syncrepl question

To: Michael L Torrie <torriem@chem.byu.edu>
Subject: Re: Brief syncrepl question
From: Howard Chu <hyc@symas.com>
Date: Tue, 30 May 2006 14:19:00 -0700
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <1149021097.6121.66.camel@isengard>
References: <1149006426.6121.3.camel@isengard> <Pine.SOL.4.58.0605301243060.1739@toolbox.rutgers.edu> <1149012470.6121.30.camel@isengard> <447CA7C9.2060908@symas.com> <1149021097.6121.66.camel@isengard>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060528 SeaMonkey/1.5a

Michael L Torrie wrote:

At one time conventional wisdom dictated that authorization and authentication should be separate. So in keeping with that Apple's solution was seen as a good one at the time. All the many different kinds of authentications and hashes were kept in one service which could automatically be kept in sync without the need for special mechanisms (such as the overlay that syncs the userPassword and sambaNtPassword field). However practice and theory are two different things and in practice everyone uses LDAP for authentication as well as authorization. And while storing sasl secrets in LDAP is convenient, to my knowledge there was no mechanism for synchronizing and secrets, etc. And only recently have I noticed policy mechanisms being implemented.

Password policy is an excellent example - we (Symas) were commissioned by Hewlett-Packard to develop that code. If someone (e.g. Apple) had stated the requirement sooner, it would have been implemented sooner. And because HP stipulated that the resulting work be contributed back to the Project, they get the added advantage of having it tested in environments beyond what they originally envisioned. If/when their own needs that originally prompted the work expand beyond its original scope, the code will already be up to the task, in stable fully functioning condition.

I dislike immensely the way Apple has done these things. As you say they should have worked with the community, but from what I can see Apple hasn't ever embraced open source and the philosophy behind it. However I can see the reasons why they implemented the password server and intellectually, at least, I agree with them. But the implementation is poor.

Authentication and authorization are essential to all computer systems; there's no reason to believe that their requirements were unique to MacOS. It makes more sense to work in the open, so that the hard thinking and work only needs to be done once, and has a strong likelihood of being indefinitely reusable. I know what you mean about Apple's philosophy, but even from a purely economical standpoint, philosophy excluded, it makes no sense to bring the perpetual support burden upon yourself of going it alone.

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/

References:
- Brief syncrepl question
  - From: Michael L Torrie <torriem@chem.byu.edu>
- Re: Brief syncrepl question
  - From: Aaron Richton <richton@nbcs.rutgers.edu>
- Re: Brief syncrepl question
  - From: Michael L Torrie <torriem@chem.byu.edu>
- Re: Brief syncrepl question
  - From: Howard Chu <hyc@symas.com>
- Re: Brief syncrepl question
  - From: Michael L Torrie <torriem@chem.byu.edu>

Prev by Date: Re: Brief syncrepl question
Next by Date: Replication between 2.2.x and 2.3.x
Index(es):
- Chronological
- Thread