diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2008-05-04 17:47:33 +0200 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2008-05-04 17:47:33 +0200 |
| commit | a2e1056039435439361cd396c30e8b5597cfc011 (patch) | |
| tree | ae8a67b0029dcca4d863fba0d8f3f18954c76c33 | |
| parent | fbba05a665953f8e091594ed6752e29b777df897 (diff) | |
some documentation cleanups and updates
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-ldapd@727 ef36b2f9-881f-0410-afb5-c4e39611909c
| -rw-r--r-- | HACKING | 22 | ||||
| -rw-r--r-- | README | 29 |
2 files changed, 30 insertions, 21 deletions
@@ -36,12 +36,13 @@ For building svn snapshots the following tools are needed: * automake (1.10 is used) * check (0.9.5 is used) -Also see debian/control (Build-Depends field) for libraries you need. +and of course the usual build tools (gcc/make/etc). Also see debian/control +(Build-Depends field) for libraries you need. -and of course the usual build tools (gcc/make/etc). To build the svn snapshot -run the autogen.sh shell script to build the configure script. When developing -patches please use --enable-warnings with configure and don't introduce too -many new warnings. For building the manual pages docbook2x is used. +To build the svn snapshot run the autogen.sh shell script to build the +configure script. When developing patches please use --enable-warnings with +configure and don't introduce too many new warnings. For building the manual +pages docbook2x is used. RELEASE VERSIONING @@ -95,6 +96,7 @@ _nss_ldap_FUNCTION_r(...) Currently a number of macros are used to build most of the function bodies for these functions. A more elegant solution is welcome. +Some handy links: http://mirrors.usc.edu/pub/gnu/Manuals/glibc-2.2.3/html_chapter/libc_28.html#SEC596 http://www.gnu.org/software/libc/manual/html_node/index.html @@ -121,7 +123,9 @@ for time-out values and buffer sizes. Both tha NSS library and nslcd use this module which means that it includes functionality that is needed for both (e.g. large write buffers for the server part and large resettable read buffers for the NSS part). Maybe building two modules from the same source -with different features in them is an option. +with different features in them is an option (e.g. the NSS part needs the +read buffers and handling of SIGPIPE and the nslcd part needs the write +buffers and possibly flushing in the background). SERVER PART @@ -132,7 +136,8 @@ the database specific functions. nslcd_FUNCION(...) This functions fills in the correct parameters from the request. This - function should generate a response object (or more). + function should write responses to the stream. Almost all these functions + are generated from a macro in common.h. SECURITY NOTES @@ -145,4 +150,5 @@ process that was doing the name lookups. In this case the privileges of the daemon are potentially exposed. The deamon should be changed to set a specific less-privileged user and -group to minimize the riscs. +group to minimize the riscs. Code for this is already in place. Configuration +options should be added and the Debian packaging should use this. @@ -12,7 +12,7 @@ Copyright (C) 1997-2006 Luke Howard Copyright (C) 2006, 2007 West Consulting - Copyright (C) 2006, 2007 Arthur de Jong + Copyright (C) 2006, 2007, 2008 Arthur de Jong This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public @@ -37,8 +37,6 @@ This is the nss-ldapd library which is an NSS module to do name lookups to an LDAP directory server. This library was forked from nss_ldap as provided by Luke Howard of PADL Software Pty Ltd. -The library is currently work in progress. - The library allows distributing account, group, host and other configuration information from a central LDAP server throughout an organisation. Because LDAP is a hierarchical directory service, you can distribute the information @@ -72,7 +70,7 @@ The most practical improvements of nss-ldapd over nss_ldap are: process will open it's own connection (this problem is also mitigated by using nscd) - hostname lookups should now be deadlock-free because the LDAP server name is - no lonker looked up using the ldap method + no longer looked up using the ldap method - the setup is easier to debug because logging on the server component can be enabled without affecting "normal" processes @@ -102,7 +100,7 @@ Currently the following name databases are supported: Note that for when using IPv6 hosts entries, the addresses in the LDAP directory must be in their preferred form. The same is true for mac addresses for the ethers database. Otherwise the address->entry lookups will not work. -For more details see +For more details on the preferred form see http://ldap.akbkhome.com/index.php/attribute/ipHostNumber.html and http://ldap.akbkhome.com/index.php/attribute/macAddress.html @@ -112,6 +110,10 @@ supported because the NSS interface is not used for these. The common autofs implementation (on GNU/Linux) currently uses it's own method for getting the maps from LDAP. +Although aliases is exposed through NSS, most mailservers parse /etc/aliases +by themselves and getting aliases from LDAP requires some configuration in the +mailserver. + The publickey, bootparams and netmasks are currently also unsupported. Some investigation should be done if these are needed for anything, which interfaces should be exported and how the LDAP schema part should look like. @@ -134,8 +136,7 @@ and may cause problems. - SSL/TLS support is untested but will be tested when the core code stabilizes - the configuration file formats are not fully compatible - nested groups are currently unsupported -- SASL and Kerberos configuration is untested -- rootbinddn/rootbindpw support is disabled and is not likely to return +- rootbinddn/rootbindpw support is removed and is not likely to return In general, the focus is to have the functionality that is present be well tested and supported. @@ -207,7 +208,7 @@ service discovery through DNS ----------------------------- nss-ldapd supports looking up LDAP server names through DNS SRV records as -specified in RFC 2782. However Priority and Weight are not considered +specified in RFC 2782. However, Priority and Weight are not considered separately and a single list of servers in added as if they had been specified with uri options in the configuration file. @@ -223,7 +224,8 @@ LDAP SCHEMA nss-ldapd supports a wide range of possible LDAP schema configurations. Furthermore it can be customized heavily. The LDAP schema used is described in RFC 2307. Groups with distinguished name members (instead of login names) (RFC -2307bis) are currently unsupported. +2307bis) are also supported, although use of memberUid has much better +performance. default attributes ------------------ @@ -234,16 +236,16 @@ configuration file. See the nss-ldapd.conf(5) manual page for details. aliases (objectClass=nisMailAlias) cn - alias name - rfc822MailMember - members + rfc822MailMember - members of the alias (recipients) ethers (objectClass=ieee802Device) cn - host name macAddress - ethernet address group (objectClass=posixGroup) cn - group name userPassword - password - memberUid - members - uniqueMember - members gidNumber - gid + memberUid - members (user names) + uniqueMember - members (DN values) hosts (objectClass=ipHost) cn - host name (and aliases) ipHostNumber - addresses @@ -260,10 +262,10 @@ passwd (objectClass=posixAccount) userPassword - password uidNumber - uid gidNumber - gid + gecos - gecos cn - gecos (if gecos is unset) homeDirectory - home directory loginShell - shell - gecos - gecos protocols (objectClass=ipProtocol) cn - protocol name ipProtocolNumber - protocol number @@ -309,6 +311,7 @@ REPORTING BUGS If you find any bugs or missing features please send email to arthur@ch.tudelft.nl +If you are using the Debian package you are encouraged to use the BTS. Please include as much information as needed (platform, output of configure if compilation fails, output of the failure, etc). Patches are more than welcome (also see the file HACKING). |