[Date Prev][Date Next]
Re: Brief syncrepl question
Michael L Torrie wrote:
At one time conventional wisdom dictated that authorization and
authentication should be separate. So in keeping with that Apple's
solution was seen as a good one at the time. All the many different
kinds of authentications and hashes were kept in one service which could
automatically be kept in sync without the need for special mechanisms
(such as the overlay that syncs the userPassword and sambaNtPassword
field). However practice and theory are two different things and in
practice everyone uses LDAP for authentication as well as authorization.
And while storing sasl secrets in LDAP is convenient, to my knowledge
there was no mechanism for synchronizing and secrets, etc. And only
recently have I noticed policy mechanisms being implemented.
Password policy is an excellent example - we (Symas) were commissioned
by Hewlett-Packard to develop that code. If someone (e.g. Apple) had
stated the requirement sooner, it would have been implemented sooner.
And because HP stipulated that the resulting work be contributed back to
the Project, they get the added advantage of having it tested in
environments beyond what they originally envisioned. If/when their own
needs that originally prompted the work expand beyond its original
scope, the code will already be up to the task, in stable fully
I dislike immensely the way Apple has done these things. As you say
they should have worked with the community, but from what I can see
Apple hasn't ever embraced open source and the philosophy behind it.
However I can see the reasons why they implemented the password server
and intellectually, at least, I agree with them. But the implementation
Authentication and authorization are essential to all computer systems;
there's no reason to believe that their requirements were unique to
MacOS. It makes more sense to work in the open, so that the hard
thinking and work only needs to be done once, and has a strong
likelihood of being indefinitely reusable. I know what you mean about
Apple's philosophy, but even from a purely economical standpoint,
philosophy excluded, it makes no sense to bring the perpetual support
burden upon yourself of going it alone.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/