hyc@OpenLDAP.org wrote:
Update of /repo/OpenLDAP/pkg/ldap/contrib/slapd-modules/nssov
Modified Files: README 1.5 -> 1.6 nssov.c 1.10 -> 1.11 nssov.h 1.6 -> 1.7 pam.c 1.7 -> 1.8
Log Message: More for sessions, working. TODO: configure list of sessions to record
For anyone interested, this is essentially code-complete. It works for me, but there are several areas I want to tweak still. Feedback on usability would be helpful at this point. If anyone wants to jump in and get a real manpage started, that would be nice too.
The main objective here was to eliminate the libldap dependencies/clashes that the current pam_ldap/nss_ldap solutions all suffer from. A secondary objective was to allow for the possibility of more sophisticated caching than nscd provides. (E.g., run slapd back-ldap + pcache on each node.) Of course, you can also completey eliminate cache staleness considerations by running a regular database with syncrepl.
And of course, another major objective was to allow all security policy to be administered centrally via LDAP, instead of having fragile rules scattered across multiple flat files. As such, there is no client-side configuration at all for the pam/nss stub libraries. (They talk to the server via a Unix domain socket whose path is hardcoded to /var/run/nslcd/). As a side benefit, this can finally eliminate the perpetual confusion over /etc/ldap.conf vs /etc/openldap/ldap.conf.
User authentication is performed by internal simple Binds. User authorization leverages the slapd ACL engine, which offers much more power and flexibility than the simple group/hostname checks in the old pam_ldap code.
At this point some cleanup is probably still needed, and merging the nslcd bits back into Arthur de Jong's code base is still underway. (Which means this code will be showing up in Debian soon, and I will be recommending it to the Ubuntu guys next month as well.)
----- "Howard Chu" hyc@symas.com wrote:
hyc@OpenLDAP.org wrote:
Update of /repo/OpenLDAP/pkg/ldap/contrib/slapd-modules/nssov
Modified Files: README 1.5 -> 1.6 nssov.c 1.10 -> 1.11 nssov.h 1.6 -> 1.7 pam.c 1.7 -> 1.8
Log Message: More for sessions, working. TODO: configure list of sessions to
record
For anyone interested, this is essentially code-complete. It works for me, but there are several areas I want to tweak still. Feedback on usability would be helpful at this point. If anyone wants to jump in and get a real manpage started, that would be nice too.
Done. A copy from slapo-chain and a mixture of nssov/README and this e-mail.
Something to start with.
Now back to getting my head round the Samba build stuff. Should have a web page up today-ish.
Cheers.
Gavin Henry wrote:
----- "Howard Chu"hyc@symas.com wrote:
hyc@OpenLDAP.org wrote:
Update of /repo/OpenLDAP/pkg/ldap/contrib/slapd-modules/nssov
Modified Files: README 1.5 -> 1.6 nssov.c 1.10 -> 1.11 nssov.h 1.6 -> 1.7 pam.c 1.7 -> 1.8
Log Message: More for sessions, working. TODO: configure list of sessions to
record
Done...
For anyone interested, this is essentially code-complete. It works for me, but there are several areas I want to tweak still. Feedback on usability would be helpful at this point. If anyone wants to jump in and get a real manpage started, that would be nice too.
Done. A copy from slapo-chain and a mixture of nssov/README and this e-mail.
Something to start with.
Thanks. I've now replaced it with up to date descriptions of all the keywords.
One thing that's still missing is a mechanism for grouping hosts together, for authorization purposes. I suppose one possibility would be to use slapo-collect to provide the authorizedService attribute to a collection of hosts...
Howard Chu wrote:
Gavin Henry wrote:
----- "Howard Chu"hyc@symas.com wrote:
hyc@OpenLDAP.org wrote:
Update of /repo/OpenLDAP/pkg/ldap/contrib/slapd-modules/nssov
Modified Files: README 1.5 -> 1.6 nssov.c 1.10 -> 1.11 nssov.h 1.6 -> 1.7 pam.c 1.7 -> 1.8
Log Message: More for sessions, working. TODO: configure list of sessions to
record
Done...
For anyone interested, this is essentially code-complete. It works for me, but there are several areas I want to tweak still. Feedback on usability would be helpful at this point. If anyone wants to jump in and get a real manpage started, that would be nice too.
Done. A copy from slapo-chain and a mixture of nssov/README and this e-mail.
Something to start with.
Thanks. I've now replaced it with up to date descriptions of all the keywords.
Great. I'm quite behind these twos weeks as lots of other work is on. I should be back to the docs and build farm soon.
One thing that's still missing is a mechanism for grouping hosts together, for authorization purposes. I suppose one possibility would be to use slapo-collect to provide the authorizedService attribute to a collection of hosts...
-
Gavin Henry -
Howard Chu