[Date Prev][Date Next]
Re: Alternatives to LDAP
Okay, I'll bite.
PAM is PITA.
It is a chore to administer.
One four-line text file per app is "hard to administer"?
It is heavy on resources (when you run servers spawning
these modules for busy servers is a lot of CPU)
PAM modules are loaded dynamically. Most are less than 10 KB big. No
processes are spawned to use them; PAM runs in-proc.
Its convoluted design is hard to even understand for most people.
The documentation for it is lacking.
These points I'll grant you.
And last time I tried pam-ldap
(which admittedly was a long time ago) it did not even support MD5
What hashes pam_ldap supports directly depends entirely on what crypto
library you use to build it. But if you set OpenLDAP ACLs so that
pam_ldap can't read userPassword, pam_ldap doesn't need to support any
hashes at all; it just authenticates against the OpenLDAP server.
The real problem is the lack of libraries for Unix-from-LDAP
authentication. That said, anyone want to write gepw* for LDAP?
I assume you mean the getpw... APIs (with a "t"). This has been done
long ago; it's called nss_ldap.