Todd Underwood wrote: > i don't agree. qmail+qmail-ldap is one way to do it, but in my opinion it > duplicates a bunch of common code that already exists on PAM-capable OSes > (like linux & solaris). if you use a PAM-capable OS and just configure > the OS to authenticate and authorize users out of LDAP, qmail sees them as > standard users (all of the standard C library functions for things like > getuid gateway to PAM which gateways to LDAP).
For me, PAM is secondary. Straight LDAP is better. Not all *nix supports pam-ldap. Furthermore, PAM is bloated, hard to debug, understand, and write modules for; with the additional requirement of dynamically linked binaries. Statically-linked binaries can load much faster (especially when they're small). Take a look at the PAM API. > to be fair, there are at two good reasons for not using PAM as far as i > can tell: > > 1) you are using OpenBSD for its security properties. in spite of the > ongoing debacle that was OpenSSh last winter and much of this year, > OpenBSD is still more secure than most OSes out there. it doesn't support > PAM (probably because PAM is hard to code securely and hard to code at > all). Or FreeBSD, or any other OS which doesn't have pam-ldap or equivalent available. However, native LDAP support is more flexible, simpler, and faster. > 2) you are using a PAM-capable OS but you trust the qmail-ldap patch's > implementation of LDAP authentication/authorization more than you trust > the PAM implementation. You're trying to reduce your exposure. this is a > judgement call for you to make. i personally would rather use PAM-LDAP > than add *huge* amounts of code from various sources to an otherwise > extremely secure product (qmail), but YMMV. Compare the size of the pam-ldap source to the size of qmail source.
