[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/contrib/slapd-modules/nssov README nssov.c nssov.h pam.c

To: OpenLDAP Commit <openldap-commit2devel@openldap.org>
Subject: Re: commit: ldap/contrib/slapd-modules/nssov README nssov.c nssov.h pam.c
From: Howard Chu <hyc@symas.com>
Date: Thu, 23 Apr 2009 00:04:11 -0700
In-reply-to: <200904230556.n3N5ueHD047181@cantor.openldap.org>
References: <200904230556.n3N5ueHD047181@cantor.openldap.org>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b4pre) Gecko/20090407 SeaMonkey/2.0a1pre Firefox/3.0.3

hyc@OpenLDAP.org wrote:

Update of /repo/OpenLDAP/pkg/ldap/contrib/slapd-modules/nssov

Modified Files:
	README  1.5 ->  1.6
	nssov.c  1.10 ->  1.11
	nssov.h  1.6 ->  1.7
	pam.c  1.7 ->  1.8

Log Message:
More for sessions, working. TODO: configure list of sessions to record

For anyone interested, this is essentially code-complete. It works for me, butthere are several areas I want to tweak still. Feedback on usability would behelpful at this point. If anyone wants to jump in and get a real manpagestarted, that would be nice too.

The main objective here was to eliminate the libldap dependencies/clashes thatthe current pam_ldap/nss_ldap solutions all suffer from. A secondary objectivewas to allow for the possibility of more sophisticated caching than nscdprovides. (E.g., run slapd back-ldap + pcache on each node.) Of course, youcan also completey eliminate cache staleness considerations by running aregular database with syncrepl.

And of course, another major objective was to allow all security policy to beadministered centrally via LDAP, instead of having fragile rules scatteredacross multiple flat files. As such, there is no client-side configuration atall for the pam/nss stub libraries. (They talk to the server via a Unix domainsocket whose path is hardcoded to /var/run/nslcd/). As a side benefit, thiscan finally eliminate the perpetual confusion over /etc/ldap.conf vs/etc/openldap/ldap.conf.

User authentication is performed by internal simple Binds. User authorizationleverages the slapd ACL engine, which offers much more power and flexibilitythan the simple group/hostname checks in the old pam_ldap code.

At this point some cleanup is probably still needed, and merging the nslcdbits back into Arthur de Jong's code base is still underway. (Which means thiscode will be showing up in Debian soon, and I will be recommending it to theUbuntu guys next month as well.)


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: commit: ldap/contrib/slapd-modules/nssov README nssov.c nssov.h pam.c
  - From: Gavin Henry <ghenry@OpenLDAP.org>

Prev by Date: Re: Build farm central node
Next by Date: Re: commit: ldap/contrib/slapd-modules/nssov README nssov.c nssov.h pam.c
Index(es):
- Chronological
- Thread