Re: [nssldap] release 0.2 of nss-ldapd
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] release 0.2 of nss-ldapd
- From: Buchan Milne <bgmilne [at] staff.telkomsa.net>
- To: Klaus Steinberger <Klaus.Steinberger [at] physik.uni-muenchen.de>
- Cc: Ralf Haferkamp <rhafer [at] suse.de>, nssldap [at] padl.com, Arthur de Jong <arthur [at] ch.tudelft.nl>
- Subject: Re: [nssldap] release 0.2 of nss-ldapd
- Date: Tue, 19 Jun 2007 11:14:53 +0200
On Tuesday, 19 June 2007, Klaus Steinberger wrote:
> Am Montag 18 Juni 2007 schrieb Ralf Haferkamp:
> > On Monday 18 June 2007 17:39, Buchan Milne wrote:
> > > In disucssions with Howard Chu, he indicated that if he were to
> > > re-design nss_ldap, it would be a slapd caching proxy ...
> >
> > Or even a local syncrepl replica instead of a proxy (when the source is a
> > syncrepl aware LDAP Server). But this would still mean that the NSS
> > module needs to link against some LDAP client library, which will get you
> > back to the symbol clashing issue (unless you link statically, which has
> > other disadvantages).
>
> A syncrepl replica would not be a good choice, as it would only talk with
> OpenLDAP. There are other LDAP Servers out there (and for some good reason)
> like Novell's Edirectory.
I don't think the paragraph above was to mean that *only* syncrepl should be
allowed. But, do note that syncrepl is RFC'd, hopefully we should see more
servers support it in future.
> Also I think a proxy slapd is a bad choice too for those reasons:
>
> - a too big thing for every workstation , like shooting with guns on little
> birds
???
In the past I have run slapd instances on laptops just to have disconnected
authentication ...
> - too complicated setup
At present. But, what if one were to have another binary built from OpenLDAP
source which set itself up as a proxy-cache, where you only needed to
configure it with the values you currently use to configure nss_ldap ?
> - it will have maybe also trouble with some other LDAP servers
???
Since nss_ldap currently uses the same libraries on most platforms, I don't
see how you get to this statement. Especially since OpenLDAP can already
proxy to all LDAP servers.
> So please do it "KISS"
>
> From what I have read in the discussion, a daemonized nss_ldap sounds like
> a interesting solution, it looks like it really solves some of the trouble
> I see with nss_ldap (even blocking the whole net on a dead nameserver). And
> it seems to be a simple enough setup.
But, it may be possible to keep the simplicity, but have a more robust and
capable solution by going another route.
Regards,
Buchan
--
Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
http://en.wikipedia.org/wiki/List_of_Internet_slang_phrases
Re: [nssldap] release 0.2 of nss-ldapd,
Andreas Hasenack
