From owner-freebsd-current@FreeBSD.ORG  Thu Dec  4 16:15:18 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 02B2016A4CE; Thu,  4 Dec 2003 16:15:18 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id B7E7243FB1; Thu,  4 Dec 2003 16:15:16 -0800 (PST)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.9p2/8.12.9) with ESMTP id hB50COMg090589;
	Thu, 4 Dec 2003 19:12:25 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)hB50COW5090586;
	Thu, 4 Dec 2003 19:12:24 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Thu, 4 Dec 2003 19:12:24 -0500 (EST)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= <des@des.no>
In-Reply-To: <xzpllps3zhe.fsf@dwp.des.no>
Message-ID: <Pine.NEB.3.96L.1031204191019.90161B-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
cc: Jacques Vidrine <nectar@freebsd.org>
cc: freebsd-current@freebsd.org
Subject: Re: NSS and PAM
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Dec 2003 00:15:18 -0000


On Fri, 5 Dec 2003, Dag-Erling Sm=F8rgrav wrote:

> Jacques Vidrine <nectar@freebsd.org> writes:
> > Applications that use PAM to change the password when the password
> > expires seem to work out OK.
>=20
> This works because each backend knows whether or not the password needs
> changing (there is a flag to tell the module to only ask for a new
> password if the current password has expired).  When you are purposedly
> changing your password before it expires, things are a little less
> clear.=20
>=20
> Things might be easier if NSS had a proper API which included entry
> points for storing and updating user information (and not just for
> retrieving).  Then pam_unix wouldn't need to know anything about
> /etc/spwd.db or NIS; it would just retrieve the information from NSS,
> note that the password had expired, ask the user for a new password and
> tell NSS to store it.

I think I agree pretty strongly with your earlier comment that the current
"struct passwd" is simply insufficient for a lot of the things we'd like
to accomplish.  It's good for UNIX app compatibility and home directory
expansion, but it sounds like we need a much stronger notion of "user"=20
than we currently have.  We bump into this in the existing of login.conf,
setusercontext(), and the MAC code.  It might be worth digging into
Apple's DirectoryServices, as well as Solaris's roles/etc equivilent.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Senior Research Scientist, McAfee Research