I'm currently using an LDAP directory to do a few jobs, including acting as a
Network Information Server in a POSIX environment (Debian Linux) via
libnss-ldap. It's working great, with authentication handled by
Kerberos...simple and elegant SSO.
The question I have about RFC 2307, though, stems from a few applications that
I've encountered along the way that don't really do things in a POSIX way, and
while they can sift through my "people" ou just fine with filters I provide,
they generally want my groups to act like a groupOfNames entry, with full DN
member attributeTypes, insead of the POSIX uid alone.
Are the applications that I'm using simply being unreasonably inflexible? If so,
they're all open-source and adding in support to do things the RFC 2307 POSIX
way as well as the RFC 2256 groupOfNames way is not an unthinkably difficult task.
My initial feeling on this is that not everything is POSIX compatible, not
everything should be POSIX compatible, and it might be useful for me and others
to be able to abandon RFC 2307 for defining groups in favor of RFC 2256, which
appears to be the more "LDAP/X.500" way of doing things.
I'm using this directory for a few services, and Linux NSS is really the only
POSIX user in the bunch, so would it be "right" to instead fork and libnss-ldap
to support RFC 2256 for my implementation? If so, has this been done already?
Looking for input before I violate established best practice, and apologies if
I've failed at searching.
American Research Institute