DragonFly BSD
DragonFly kernel List (threaded) for 2003-11
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Bind update


From: Joerg Sonnenberger <joerg@xxxxxxxxxxxxxxxxx>
Date: Sun, 23 Nov 2003 15:37:16 +0100

On Sat, Nov 22, 2003 at 10:04:44PM -0500, Richard Coleman wrote:
> David Rhodus wrote:
> 
> >DragonFly will not have a dynamic / unless someone does a custom compile 
> >for their system.
> >As for NSS I'm not sure that is the best thing at this point....
> >
> >-DR
> 
> Most people don't really care whether / is dynamic or static.  They just 
> want NSS to work correctly.  Or more accurately, they want their 
> centralized authentication to work correctly.

NSS != authentication. The evil implementation of authentication is PAM.
So summarize the PAM vs. BSD auth discussion on NetBSD:
- BSD auth is simpler
- PAM seems to be pretty standard and platform independent
- the only thing BSD auth can't directly do is the PAG for AFS
- many PAM modules can run with a wrapper
- BSD auth cannot effect the calling process, e.g. by changing random stuff


The situation for NSS is similiar:
- running in the same address space is risky (e.g. pam-ldap bugs)
- for lookup of remote information via LDAP or similiar means
  a cache is needed, either by a module specific mean or system wide
- leads to a messing interface as generalization

> 
> It has become very common to implement centralized authentication using 
> LDAP (or mysql).  I've done this in several large projects for my 
> previous employer (large web hosting company).  It's harder than it 
> sounds.  If not done correctly, lots of little things do not work quite 
> right (accounting file, or seeing uid in "ls" listing rather than username).

Again NSS != PAM. Those are two different systems.

> 
> The most expedient method is dynamically linking in the correct NSS 
> resolver.  Other methods are possible (static resolver talking to 
> resolver daemon).  But with these other methods, I wonder how we can get 
> all the third party PAM and NSS modules working.  There are lots of 
> them, and most assume the dynamic library method.

Most assume even more things. The question is what do you need?
Lookup support? Use a NSS backend for a message-based lookup server.
Authentication? Use either a direct BSD auth handler or a wrapper around
some PAM module. Do you need the four different parts of PAM? It is my
opion that they're not that useful and often broken.

Joerg

> 
> Richard Coleman
> richardcoleman@xxxxxxxxxxxxxx



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]