Dear all,
I was checking the TODO list prepared Nick Daly and I see some references
to integrating LDAP in the FB. I tried to find more about it but I could
not find
anything in the mailing list archives nor on the wiki. I'm writing this
email because
I spent some time thinking about the need of LDAP in isolated hosts some
time
ago and I wanted to share my findinings.
I see the following reasons for including an LDAP daemon:
1) Centralized user authentication: all services on the box can authenticate
their users to the same directory. Moreover the directory runs under a
different
user so that a compromised service cannot directly get hold of the password
hashes.
2) Centralized storage of configuration settings with fine grained
access control.
3) Read only directory of users of the box (I write read-only because
LDAP editors
are quite unknown to most people)
For these three usages I think there are better ways to do them than
using an LDAP
daemon. Namely:
1) Any Debian system already has a centralized user directory, i.e.
/etc/passwd . It is possible to authenticate against this database from most
daemons by using sasld. Using sasld also ensures that the service requesting
the authentication doesn't have direct access to the password storage. sasld
also uses pam so it is very simple to setup things like, "user x can access
service y but not service z". Finally this approach works by using simple
plain files. I implemented this and it works well, if it is useful I can
share the config
files.
2) Phlint is not running as root and doesn't directly own the configuration
files it can change. So the access control can be done when invoking the
helper
that modifies the config (i.e. debconf). I never tried this personally,
but I guess
it should work.
3) A list of the users of the box can be published over XMPP to all its
users by
pre-adding all users of the box to the roster of each other. To store
personal
address books the standard is nowadays CardDAV, there are clients for
any OS.
I see therefore little interest in using LDAP in this case.
For these reasons I think it's not necessary to put LDAP in the freedombox.
Maybe I'm overlooking something (maybe some critical daemon is incompatible
with SASL?). I hope what I wrote can be of help in the design, I'm
curious to
hear what are the other opinions on this topic.
Best,
Lorenzo
_______________________________________________
Freedombox-discuss mailing list
Freedombox-discuss@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
