DragonFly kernel List (threaded) for 2003-11
Re: Bind update
On Sat, Nov 22, 2003 at 10:04:44PM -0500, Richard Coleman wrote:
> David Rhodus wrote:
> >DragonFly will not have a dynamic / unless someone does a custom compile
> >for their system.
> >As for NSS I'm not sure that is the best thing at this point....
> Most people don't really care whether / is dynamic or static. They just
> want NSS to work correctly. Or more accurately, they want their
> centralized authentication to work correctly.
NSS != authentication. The evil implementation of authentication is PAM.
So summarize the PAM vs. BSD auth discussion on NetBSD:
- BSD auth is simpler
- PAM seems to be pretty standard and platform independent
- the only thing BSD auth can't directly do is the PAG for AFS
- many PAM modules can run with a wrapper
- BSD auth cannot effect the calling process, e.g. by changing random stuff
The situation for NSS is similiar:
- running in the same address space is risky (e.g. pam-ldap bugs)
- for lookup of remote information via LDAP or similiar means
a cache is needed, either by a module specific mean or system wide
- leads to a messing interface as generalization
> It has become very common to implement centralized authentication using
> LDAP (or mysql). I've done this in several large projects for my
> previous employer (large web hosting company). It's harder than it
> sounds. If not done correctly, lots of little things do not work quite
> right (accounting file, or seeing uid in "ls" listing rather than username).
Again NSS != PAM. Those are two different systems.
> The most expedient method is dynamically linking in the correct NSS
> resolver. Other methods are possible (static resolver talking to
> resolver daemon). But with these other methods, I wonder how we can get
> all the third party PAM and NSS modules working. There are lots of
> them, and most assume the dynamic library method.
Most assume even more things. The question is what do you need?
Lookup support? Use a NSS backend for a message-based lookup server.
Authentication? Use either a direct BSD auth handler or a wrapper around
some PAM module. Do you need the four different parts of PAM? It is my
opion that they're not that useful and often broken.
> Richard Coleman