[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Brief syncrepl question



Michael L Torrie wrote:
At one time conventional wisdom dictated that authorization and
authentication should be separate. So in keeping with that Apple's
solution was seen as a good one at the time. All the many different
kinds of authentications and hashes were kept in one service which could
automatically be kept in sync without the need for special mechanisms
(such as the overlay that syncs the userPassword and sambaNtPassword
field). However practice and theory are two different things and in
practice everyone uses LDAP for authentication as well as authorization.
And while storing sasl secrets in LDAP is convenient, to my knowledge
there was no mechanism for synchronizing and secrets, etc. And only
recently have I noticed policy mechanisms being implemented.

Password policy is an excellent example - we (Symas) were commissioned by Hewlett-Packard to develop that code. If someone (e.g. Apple) had stated the requirement sooner, it would have been implemented sooner. And because HP stipulated that the resulting work be contributed back to the Project, they get the added advantage of having it tested in environments beyond what they originally envisioned. If/when their own needs that originally prompted the work expand beyond its original scope, the code will already be up to the task, in stable fully functioning condition.


I dislike immensely the way Apple has done these things. As you say
they should have worked with the community, but from what I can see
Apple hasn't ever embraced open source and the philosophy behind it.
However I can see the reasons why they implemented the password server
and intellectually, at least, I agree with them. But the implementation
is poor.

Authentication and authorization are essential to all computer systems; there's no reason to believe that their requirements were unique to MacOS. It makes more sense to work in the open, so that the hard thinking and work only needs to be done once, and has a strong likelihood of being indefinitely reusable. I know what you mean about Apple's philosophy, but even from a purely economical standpoint, philosophy excluded, it makes no sense to bring the perpetual support burden upon yourself of going it alone.


--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/