I'm currently using an LDAP directory to do a few jobs, including acting as a Network Information Server in a POSIX environment (Debian Linux) via libnss-ldap. It's working great, with authentication handled by Kerberos...simple and elegant SSO.
The question I have about RFC 2307, though, stems from a few applications that I've encountered along the way that don't really do things in a POSIX way, and while they can sift through my "people" ou just fine with filters I provide, they generally want my groups to act like a groupOfNames entry, with full DN member attributeTypes, insead of the POSIX uid alone.
Are the applications that I'm using simply being unreasonably inflexible? If so, they're all open-source and adding in support to do things the RFC 2307 POSIX way as well as the RFC 2256 groupOfNames way is not an unthinkably difficult task.
My initial feeling on this is that not everything is POSIX compatible, not everything should be POSIX compatible, and it might be useful for me and others to be able to abandon RFC 2307 for defining groups in favor of RFC 2256, which appears to be the more "LDAP/X.500" way of doing things.
I'm using this directory for a few services, and Linux NSS is really the only POSIX user in the bunch, so would it be "right" to instead fork and libnss-ldap to support RFC 2256 for my implementation? If so, has this been done already?
Looking for input before I violate established best practice, and apologies if I've failed at searching.
Thanks.
On Friday 25 January 2008 16:12:06 Sean Myers wrote:
I'm using this directory for a few services, and Linux NSS is really the only POSIX user in the bunch, so would it be "right" to instead fork and libnss-ldap to support RFC 2256 for my implementation? If so, has this been done already?
1)This question is probably more appropriate for the nss_ldap list
2)Why fork software for a specific feature when it already supports your desired feature (the details of which would be better answered on the list dedicated to the software).
Regards, Buchan
openldap-technical@openldap.org