[OpenAFS-devel] ptlocal abandoned - ptsldap created
Brett L. Trotter
blt@iastate.edu
Mon, 25 Apr 2005 12:05:59 -0500
Due to logistical problems, I abandoned ptlocal and decided to go with
creating an LDAP proxy for ptserver.
Currently, I have a version that seems to work fine with AD4UNIX extended
schema Active Directory style LDAP.
If you recall, ptproxy was created by Volker Lendecke, but became license
encumbered and is more or less on hold as far as I know. Ptproxy works great,
but has samba code. Even if the samba vs openafs licensing issue is resolve,
openldap is a slightly more universal approach to the same problems. Openldap
can successfully connect to an AD server and retrieve the same information as
the samba ptproxy implementation, and doesnt require joining the machine to
the domain- but granted searching an AD generally requires having an ldap
searcher account in the AD that has the right to dump/search the whole tree.
I created ptsldap completely from openafs code, and from the ldap.h manpages,
but no raw code was copied. As far as I know, it should be compatible with
the openafs licensing, but I'd like to know for sure. If it winds up being
compatible, my employer (iowa state university) is talking about being
willing to release it back into the openafs tree. It's not a guarantee, but
I'd say the liklihood is high.
One further license question I have is in trying to implement support for
reading /etc/ldap.conf, it comes to mind that nss_ldap has a whole section of
code devoted towards reading that file and setting up the connection and
doing searches - with failover already accounted for.. Rewriting that code
wouldn't be my favorite use of time, but obviously copying some of that code
might be a problem for the licensing issue, though it appears to be under
LGPL.
Now keep in mind this code is no where near fully tested, nor optimized. It
ditches a lot of support (like creating groups and users, etc), but all that
is potentially on the horizon- though in our current implementation, we do
not and will not be writing to the active directory from the unix side of
things.
As far as I know, there are more than a handful of people and organizations
looking to integrate OpenAFS with ActiveDirectory and/or ldap. I think this
is an important step in the right direction, though by no means a final
solution.
Are there any people on the list who could comment about these licensing
questions?
--
Brett Trotter
Engineering Computer Support Services
Iowa State University - 2240 Hoover Hall
tel: 515.294.2897 email: blt@iastate.edu