Bug 226119

Summary: Feature request: Add ldap data source for the NSS netgroup database
Product: Base System Reporter: Rick <vrwmiller>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: New ---    
Severity: Affects Some People CC: cem, chuck.gentry, freebsd, markj
Priority: ---    
Version: 11.0-STABLE   
Hardware: Any   
OS: Any   

Description Rick 2018-02-22 14:38:36 UTC 
The nsswitch.conf man page describes the sources that are currently implemented for NSS which exclude LDAP. An LDAP data source will enable FreeBSD clients to more easily integrate with central user/account management frameworks like FreeIPA & sssd.

As an illustration of problems that would be mitigated with the implementation of an ldap data source consider that a centralized user accounting and management system, particularly FreeIPA, sudo queries the data source (sss) returning netgroups which sudo responds to by subsequently calling innetgr(). When called, innetgr() loads and iterates over /etc/netgroup looking for matching entries. As netgroup grows in size, so does the amount of time required to iterate it. For example, my tests using a ~1.5MB file consisting of ~31,000 entries took 30 seconds to return a password prompt as it traversed netgroup to insure the invoking user was permitted to.

The following references describe FreeBSD deployment within a FreeIPA/sssd framework and illustrate that multiple users are deploying FreeBSD in such a configuration.

https://blog.hostileadmin.com/2016/03/24/integrating-freebsd-w-freeipasssd/
https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/