Re: adding FreeBSD LOGIN_CLASS(3) support to nss-pam-ldapd

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Wed, 2017-07-19 at 14:40 +0200, Marek Zarychta wrote:
> Login class is non-RFC 2307 compliant, strictly FreeBSD related
> extension to group mechanism. There is no"loginClass" or equivalent
> attribute in OpenLDAP NIS schema, but it will be fine if it could be
> set to other than "default" value for users authenticated via LDAP
> directory or remapped to for example "description" attribute.

Hi,

Sorry for not responding earlier (a bit busy).

> The patch is available on FreeBSD Bugzilla here:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220379 
> 
> Is there any chance to include this patch in future releases of
> nss-pam-ldapd?

I think I've seen the patch before and the problem is that it modifies
the protocol between the NSS module and nslcd. This would be fine for
FreeBSD but the protocol is supposed to be platform-independent
(supports muti-arch systems and all). Another consequence of the
protocol change is that we would have to bump the nslcd version because
the newly running nslcd would not be able to communicate with programs
that have the old NSS module loaded.

We could add a separate NSLCD_ACTION_PASSWD_BYNAME_LOGINCLASS (etc.)
action but it would be a bit ugly so I'm not 100% sure what to do with
this patch.

I recognise that it is probably useful to have for FreeBSD. There may
also be other attributes that may be useful for other systems but that
would mean extending the protocol to have (almost arbitrary) extra key-
value pairs.

Any ideas on how to implement this properly (preferably without
backwards-compatibility problems) are very welcome.

Thanks,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/