[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Brief syncrepl question

On Tue, 2006-05-30 at 13:15 -0700, Howard Chu wrote:
> Yes, it's unfortunate that Apple didn't coordinate with the OpenLDAP 
> Project on their requirements in the past. There's been better 
> communication more recently, and hopefully they'll take advantage of the 
> supported extension hooks in OpenLDAP 2.3+ going forward. Personally I 
> think their password server was never necessary; support for 
> in-directory SASL secrets in OpenLDAP 2.1 obviated it from the get-go. 
> Another fine example of what happens when you take code but don't 
> participate in the community - reinvent the wheel, using an axle that 
> doesn't fit...

At one time conventional wisdom dictated that authorization and
authentication should be separate.  So in keeping with that Apple's
solution was seen as a good one at the time.  All the many different
kinds of authentications and hashes were kept in one service which could
automatically be kept in sync without the need for special mechanisms
(such as the overlay that syncs the userPassword and sambaNtPassword
field).  However practice and theory are two different things and in
practice everyone uses LDAP for authentication as well as authorization.
And while storing sasl secrets in LDAP is convenient, to my knowledge
there was no mechanism for synchronizing and secrets, etc.  And only
recently have I noticed policy mechanisms being implemented.

I dislike immensely the way Apple has done these things.  As you say
they should have worked with the community, but from what I can see
Apple hasn't ever embraced open source and the philosophy behind it.
However I can see the reasons why they implemented the password server
and intellectually, at least, I agree with them.  But the implementation
is poor.