[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Alternatives to LDAP

Okay, I'll bite.


What's "PITA"?

It is a chore to administer.

One four-line text file per app is "hard to administer"?

It is heavy on resources (when you run servers spawning
these modules for busy servers is a lot of CPU)

PAM modules are loaded dynamically. Most are less than 10 KB big. No processes are spawned to use them; PAM runs in-proc.

Its convoluted design is hard to even understand for most people.
The documentation for it is lacking.

These points I'll grant you.

And last time I tried pam-ldap
(which admittedly was a long time ago) it did not even support MD5

What hashes pam_ldap supports directly depends entirely on what crypto library you use to build it. But if you set OpenLDAP ACLs so that pam_ldap can't read userPassword, pam_ldap doesn't need to support any hashes at all; it just authenticates against the OpenLDAP server.

The real problem is the lack of libraries for Unix-from-LDAP
authentication. That said, anyone want to write gepw* for LDAP?

I assume you mean the getpw... APIs (with a "t"). This has been done long ago; it's called nss_ldap.