Re: RFC: Going the LDAP/Kerberos way with NetBSD.

On 1-May-08, at 6:48 AM, Anders Magnusson wrote:

> There has not been any suggestion at all to drop neither files nor  
> nsswitch.
> Countrary, they play a significant role in NetBSD.  The only things  
> in the "drop case" are:
> -  {s}pwd.db.  Should not be needed at all anymore.  Actually, I  
> think that using
>  just the files when <50 entries in the passwd file would be faster  
> than doing a
>  db lookup.   Haven't tested though, but would be quick to do.
>  The point here is that if there are more than 50 users on the  
> system you probably
>  want a directory server on your machine.

There are several intertwined issues here.

First off, even on machines well over a decade old that number is  
probably _MUCH_ higher, say closer to 100, or even 200, and that's  
true even if they're running operating systems of the same era.  I did  
some careful tests for similar kinds of files on a 3B2/400 back in the  
late 1980's and found that even sorting the file and using a binary  
search was a waste of time, effort and complexity for fewer than at  
least 300 records.

The second issue is complexity, and as an issue it has many  
intertwined sub-issues.  

While direct sequential file access is clearly simple, it may not be  
the simplest in terms of keeping system managers from doing stupid  
things when it is only one of several lookup methods and especially  
when there's more than one style of "local" lookup method.

The current *BSD practice of always stuffing everything into *.db  
files (for the local lookup case) gives us the simplest possible way  
of implementing (and managing) a method which is efficient for the  
widest range of database sizes from the very small to the rather  
large.  More recently I did tests on Pentium-II class machines showing  
that even 100,000 users can be handled efficiently with the current  
setup (modulo some minor adjustments to the db parameters set by  
pwd_mkdb).

What I'm gathering from this thread though is that some folks would  
rather introduce a great deal more complexity for the majority of  
users just to make things a little bit easier for the (relatively) few  
cases where NetBSD machines will be required to work within some  
networked environment which already provides LDAP directory services.   
You really don't want to have to run any kind of directory server,  
even one running locally on the same host, unless you really _must_  
participate in a network where use of such a service is mandatory.   
The unnecessary added complexity alone rules it out, never mind any  
untested concerns about overhead and efficiency.

Personally I think the _only_ change that's acceptable would be one  
which solely adds LDAP client support to nsswitch, and which does so  
in such a way that its code is completely surrounded by an #ifdef such  
as USE_LDAP (i.e. in the manner USE_YP should work).  In fact I would  
really very much like to have the option of choosing to use LDAP via / 
etc/nsswitch.conf.  In a perfect world it might even fit in using the  
same kind of "compat"(ability) record as YP uses (eg. something like a  
"+" in the user field to direct further queries to an LDAP server).

--

-- 
					Greg A. Woods; Planix, Inc.
					<woods <at> planix.ca>