ltb-project/openldap-deb

review list of modules in contrib-overlays for new major version of OpenLDAP

davidcoutadeur opened this issue · 5 comments

davidcoutadeur commented

The list of modules must be reviewed:

  • some must be added / replaced / removed
davidcoutadeur commented

For reference, current contrib overlays list:

  • autogroup
  • lastbind
  • noopsrch
  • nssov
  • pw-pbkdf2
  • pw-sha2
  • smbk5pwd
  • pw-argon2
davidcoutadeur commented

Overlays to keep (or not):

  • autogroup
  • lastbind the main feature is included in core: last successful authentication is saved into pwdLastSuccess. Enable this feature with lastbind on. If we decide not to include this overlay anymore, we will lose lastbind-precision and lastbind_forward_updates features. I propose to do so.
  • noopsrch
  • nssov
  • pw-pbkdf2
  • pw-sha2
  • smbk5pwd
  • pw-argon2 included into core. See also new tools to include in packaging: slappw-argon2: to generate an argon2 hash
  • check-password was created in a separate package: to remove
  • ppm: TODO: to include as a contributed overlay and not a separate package

New overlays which can have an interest

  • adremap: convert AD attributes to posix format: can be interesting, but quite specific...
  • authzid: (RFC 3829) server answers with the identity of the client: interesting in an SSL or SASL authentication context
  • datamorph: stores more efficiently integers and lists: no real life scenario
  • rbac: intercepts, decodes and enforces specific RBAC policies per the Apache Fortress RBAC data formats: too specific
  • totp: provides one time password support (incompatible with lastbind!): may be interesting, but I have never seen a customer need for that
  • usn: adds MS AD usnCreated and usnChanged operational attributes to entries: no use case
  • variant: allows attributes/values to be shared between several entries: seems really useful. Maybe could we include this one
  • vc: provide the exop "verify credentials", but there is no spec, and I found no tool using it...

Reminder: overlays added in core

  • autoca: generates X.509 certificate/key pairs for entries in the directory
  • homedir: apply modification in the user home directory (in the filesystem) when the corresponding entry change
  • otp: OATH One-Time Password module
  • remoteauth: Delegate authentication requests to remote directories. Maybe it could replace SASL delegation...
davidcoutadeur commented

For vc, we can give a look at:
https://git.openldap.org/openldap/openldap/-/commit/b31172dbf8ee88b7238a7e8aaf78e99ee488452e
and decide if it is interesting to add it.

davidcoutadeur commented

Final contrib overlays list is:

  • autogroup
  • lastbind
  • noopsrch
  • nssov
  • pw-pbkdf2
  • pw-sha2
  • smbk5pwd
  • ppm
  • variant
  • vc

At this point (e9a2f14), contrib-overlays package seem ready