Posted Mar 22, 2012 11:49 UTC (Thu) by ringerc (subscriber, #3071)
In reply to: !Bizarre by cortana
Parent article: Shadow hardening
I use regular OpenLDAP from the Debian archives. It's probably possible to optimise it for memory use and cut out optional features, but with RSS at 7MB I don't care to. Remember, much of that RSS is overhead - `grep` has 1MB RSS on my system!
That kind of memory use might be a concern on particularly tiny embedded boxes, but few of those will want a full NSS anyway, they're likely to be using busybox and uclibc with their very cut down identity stuff.
slapd restarts haven't been a problem the couple of times I've done them to add new schema. Requests though PAM or NSS are delayed until slapd comes up again, then continue as normal. The delay hasn't been noticeable since slapd restarts in a fraction of a second.
Because LDAP is an afterthought in Linux distros at the moment, the situation with ldap auth in current distros is absolutely rotten. The separation between system and LDAP users that you alluded to is the problem, and the lack of testing of package scripts etc with LDAP adds to the pain. It's particularly bad when you need users the system thinks are "system" users to appear in the directory because they must be consistent across several systems for, say, NFS4 shared storage. Most package scripts will scream when they can't find the user in /etc/passwd even though it exists.
At this point I don't recommend running LDAP auth for Linux environments because it's badly tested and badly integrated into most distros as a half-assed afterthought. To work well, it must *replace* /etc/passwd and friends, not layer on top of them, and all system tools for user creation/removal/etc must manipulate LDAP transparently instead of passwd.
With the current situation I've even had to remove a user from LDAP and allow a package to create the user in the system auth files with a different auto-generated uid, then remove that generated user, add the original user back to ldap, and chown everything to the new uid. I'm not impressed.
As for my setup: I use plain old nscd on top of slapd.
FWIW, I don't particularly adore LDAP, but it's there and it works. Apple demonstrated the folly of rolling their own directory system with the short-lived NetInfo; IMO, LDAP should be adopted because we need *something* better than passwd, LDAP is there, and LDAP is mature and interoperable.