[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Alternatives to LDAP

To: Dan Melomedman <dan@devonit.com>
Subject: Re: Alternatives to LDAP
From: David Wright <ichbin@shadlen.org>
Date: Fri, 26 Jul 2002 20:54:26 -0700
Cc: OpenLDAP-software@OpenLDAP.org
References: <Pine.GSO.4.33.0207261752590.18127-100000@agassiz.cs.und.edu> <20020726233420.GE2551@mail.devonit.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020615 Debian/1.0.0-3


Okay, I'll bite.

PAM is PITA.


What's "PITA"?

It is a chore to administer.


One four-line text file per app is "hard to administer"?

It is heavy on resources (when you run servers spawning
these modules for busy servers is a lot of CPU)

PAM modules are loaded dynamically. Most are less than 10 KB big. No processes are spawned to use them; PAM runs in-proc.

Its convoluted design is hard to even understand for most people.
The documentation for it is lacking.


These points I'll grant you.

And last time I tried pam-ldap
(which admittedly was a long time ago) it did not even support MD5
passwords.

What hashes pam_ldap supports directly depends entirely on what crypto library you use to build it. But if you set OpenLDAP ACLs so that pam_ldap can't read userPassword, pam_ldap doesn't need to support any hashes at all; it just authenticates against the OpenLDAP server.

The real problem is the lack of libraries for Unix-from-LDAP
authentication. That said, anyone want to write gepw* for LDAP?

I assume you mean the getpw... APIs (with a "t"). This has been done long ago; it's called nss_ldap.

Follow-Ups:
- Re: Alternatives to LDAP
  - From: Frank Swasey <Frank.Swasey@uvm.edu>
- Re: Alternatives to LDAP
  - From: Dan Melomedman <dan@devonit.com>

References:
- Alternatives to LDAP
  - From: Caylan Van Larson <caylan@cs.und.edu>
- Re: Alternatives to LDAP
  - From: Dan Melomedman <dan@devonit.com>

Prev by Date: newbie: ldapsearch returns dreaded 'no such object'
Next by Date: too many open files?
Index(es):
- Chronological
- Thread