226119 – Feature request: Add ldap data source for the NSS netgroup database

Bug 226119 - Feature request: Add ldap data source for the NSS netgroup database

Summary: Feature request: Add ldap data source for the NSS netgroup database

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	11.0-STABLE
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-02-22 14:38 UTC by Rick
Modified:	2018-03-07 17:11 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rick 2018-02-22 14:38:36 UTC

The nsswitch.conf man page describes the sources that are currently implemented for NSS which exclude LDAP. An LDAP data source will enable FreeBSD clients to more easily integrate with central user/account management frameworks like FreeIPA & sssd.

As an illustration of problems that would be mitigated with the implementation of an ldap data source consider that a centralized user accounting and management system, particularly FreeIPA, sudo queries the data source (sss) returning netgroups which sudo responds to by subsequently calling innetgr(). When called, innetgr() loads and iterates over /etc/netgroup looking for matching entries. As netgroup grows in size, so does the amount of time required to iterate it. For example, my tests using a ~1.5MB file consisting of ~31,000 entries took 30 seconds to return a password prompt as it traversed netgroup to insure the invoking user was permitted to.

The following references describe FreeBSD deployment within a FreeIPA/sssd framework and illustrate that multiple users are deploying FreeBSD in such a configuration.

https://blog.hostileadmin.com/2016/03/24/integrating-freebsd-w-freeipasssd/
https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/