DragonFly BSD
DragonFly kernel List (threaded) for 2003-11
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Bind update


From: David Rhodus <drhodus@xxxxxxxxx>
Date: Sat, 22 Nov 2003 22:33:42 -0500

Richard Coleman wrote:

Most people don't really care whether / is dynamic or static. They just want NSS to work correctly. Or more accurately, they want their centralized authentication to work correctly.

It has become very common to implement centralized authentication using LDAP (or mysql). I've done this in several large projects for my previous employer (large web hosting company). It's harder than it sounds. If not done correctly, lots of little things do not work quite right (accounting file, or seeing uid in "ls" listing rather than username).

The most expedient method is dynamically linking in the correct NSS resolver. Other methods are possible (static resolver talking to resolver daemon). But with these other methods, I wonder how we can get all the third party PAM and NSS modules working. There are lots of them, and most assume the dynamic library method.


Right! Your statement about having to try and make all of this cruff work correctly is what I've
seen too many times. This is why I'm not sure NSS will help anything, most likely add more cruff
that has no synchronization boundary defined. One of the things we'll be doing in DragonFly
is to replace PAM/NSS with something much cleaner and efficient. Most of the protection
domains defined by these mechanisms are questionable for many reasons not just the added
complexly wrapped around them. As I've been working on some of the shared messaging
protocol code the past few days, I've found my self thinking about how to work in a clean
implementation of some rendezvous type code, which leads me back to the thought of how
we will be doing a lookupd type system in DragonFly. Which at that point we'll be able
to sit aside PAM/NSS, as they are in my book completely useless anyways. Anymore,
when I'm asked to implement a centralized authentication system using anything LDAP / MySQL
or anything, I'll spend the first day writing a User Account Management System for which
everything will use a custom client defined for the system type to authenticate off of the DB system.
I've been extremely successful is using a custom authentication method across various platforms, HPUX solaris, BSD, linux, AIX, etc.. than trying to make a PAM/NSS setup work.


-DR




[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]