Re: git: 94eda313a9d5 - main - mail/dovecot: add LDAP as a default option

Reply: Larry Rosenman : "Re: git: 94eda313a9d5 - main - mail/dovecot: add LDAP as a default option"
In reply to: Larry Rosenman : "Re: git: 94eda313a9d5 - main - mail/dovecot: add LDAP as a default option"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Wed, 31 Jan 2024 05:54:38 UTC

In message <f87acd48c73fc9296e6ba3a40eccc010@FreeBSD.org>, Larry Rosenman 
write
s:
> On 01/30/2024 11:05 pm, Cy Schubert wrote:
> > In message <202401310117.40V1HFmD014823@gitrepo.freebsd.org>, Larry
> > Rosenman wr
> > ites:
> >> The branch main has been updated by ler:
> >> 
> >> URL: 
> >> https://cgit.FreeBSD.org/ports/commit/?id=94eda313a9d5acc5ff8d00fec7a518
> >> 62f3e346da
> >> 
> >> commit 94eda313a9d5acc5ff8d00fec7a51862f3e346da
> >> Author:     Larry Rosenman <ler@FreeBSD.org>
> >> AuthorDate: 2024-01-31 01:15:05 +0000
> >> Commit:     Larry Rosenman <ler@FreeBSD.org>
> >> CommitDate: 2024-01-31 01:17:13 +0000
> >> 
> >>     mail/dovecot: add LDAP as a default option
> >> 
> >>     PR:     276741
> >>     Requested by: seichan-ml@wakhok.ne.jp
> > 
> > What's the compelling reason for this? The PR doesn't say why this 
> > would
> > benefit everyone and doesn't explain if any negative impacts were
> > non-existent or mitigated any way. IMO someone asking for a feature or
> > option without an analysis of impact can possibly result in a POLA
> > situation.
> > 
> > Why and will this cause any POLA?
>
> POLA shouldn't be a problem except for the ldap-client lib.  As to why, 
> I didn't
> want to go through the argument with the user.  I can revert it if you 
> want.

I just need to understand the rationale. It's not apparent to me.

>
> I really want a way to split our packages like the dovecot folks do for 
> Linux,
> but I don't have that understood yet.
>
> As I said, if the project wants me to revert it, I can.

I use dovecot on my exterior gateway machine. It does not use my LDAP 
directory nor KRB5 realm in order to insulate those services in case this 
machine is compromised. If this requires my Internet facing machine to use 
my LDAP directory (+ KRB5 realm) this may be an issue. It may also be an 
issue for those in similar circumstance.

I don't use LDAP on my exterior machine to reduce risk to the directory 
should that machine be compromised.

With LDAP enabled in the software will I and those who don't use LDAP have 
to hook into an LDAP directory? Or does this simply add an option?


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0