Thorsten Glaser wrote:
> Nicholas Basila dixit:
>
>
>>more roles and I think pam is a better choice for the long run. Having
>
>
> Up to the point that you _cannot_ statically link ksh on GNU/Linux
> because it needs the nsswitch/pam libraries dlopen'd at run time, hah!
>
> I think it's best as-is. I can live with the requirement to have
> pseudo-users in /etc/master.passwd now.
>
> Maybe an YP-like kludge would solve that.

In the OpenBSD world we'll stick to BSD auth for authentification. But a
better ldap integration than just auth_ldap is needed. With it, a good
name service switch is needed too. When you have dozens of machines, you
can't maintain pseudo-users in master.passwd and group.

It's too early to tell if a name service switch implementation will
require shared libs or not. There's nothing in the technology that
requires it to be implemented using dlopen'able modules. The list of
possible sources can be static (files, yp, dns, ldap).

There are several steps to be done, which are equally important. The
first one is to have a BSD-licensed ldap client library, and have
auth_ldap working with it.
--
Matthieu