lorenzo at usucapio.net
Wed Oct 9 09:41:56 UTC 2013
I was checking the TODO list prepared Nick Daly and I see some references
to integrating LDAP in the FB. I tried to find more about it but I could
anything in the mailing list archives nor on the wiki. I'm writing this
I spent some time thinking about the need of LDAP in isolated hosts some
ago and I wanted to share my findinings.
I see the following reasons for including an LDAP daemon:
1) Centralized user authentication: all services on the box can authenticate
their users to the same directory. Moreover the directory runs under a
user so that a compromised service cannot directly get hold of the password
2) Centralized storage of configuration settings with fine grained
3) Read only directory of users of the box (I write read-only because
are quite unknown to most people)
For these three usages I think there are better ways to do them than
using an LDAP
1) Any Debian system already has a centralized user directory, i.e.
/etc/passwd . It is possible to authenticate against this database from most
daemons by using sasld. Using sasld also ensures that the service requesting
the authentication doesn't have direct access to the password storage. sasld
also uses pam so it is very simple to setup things like, "user x can access
service y but not service z". Finally this approach works by using simple
plain files. I implemented this and it works well, if it is useful I can
share the config
2) Phlint is not running as root and doesn't directly own the configuration
files it can change. So the access control can be done when invoking the
that modifies the config (i.e. debconf). I never tried this personally,
but I guess
it should work.
3) A list of the users of the box can be published over XMPP to all its
pre-adding all users of the box to the roster of each other. To store
address books the standard is nowadays CardDAV, there are clients for
I see therefore little interest in using LDAP in this case.
For these reasons I think it's not necessary to put LDAP in the freedombox.
Maybe I'm overlooking something (maybe some critical daemon is incompatible
with SASL?). I hope what I wrote can be of help in the design, I'm
hear what are the other opinions on this topic.
More information about the Freedombox-discuss