Date: Wed, 03 Feb 1999 11:46:27 +0500 From: Konstantin Chuguev <joy@urc.ac.ru> To: Wes Peters <wes@softweyr.com> Cc: hackers@FreeBSD.ORG Subject: Re: YP-like mySQL thing Message-ID: <36B7F0C2.4FE4FAB5@urc.ac.ru> References: <Pine.BSF.4.05.9902021630200.535-100000@bright.fx.genx.net> <36B7A3C0.AC423DEC@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Wes Peters wrote:
> Alex, I suggest that if you think you need to modify libc to do this, you
> probably have not thought about it enough. I've been watching this thread
> for several days now, and wondering why it isn't sinking in that a PAM
> module to access the MySQL database would do what you are asking for
> without modifying libc. That's why PAM was added.
>
I seem to miss something completely.
Until this time I was sure PAM is for absolutely other purpose. I can log
in/authenticate with S/Key, cleartext password, UNIX (/etc/master.passwd) password,
Kerberos or something I wrote myself through any utility which uses PAM explicitly,
such as login, su or xdm. I myself can write such a utility as well. After the
successful login, a service works with a user in a standard way, allowing or
disallowing the user to make some things regarding the service's configuration.
POP/IMAP services usually have very simple configuration, so do UUCP. FTP or WWW can
have much more complicate configuration, and they are often use /etc/[master.]passwd
looking for the user's home directory. UNIX shell accounts are based on
/etc/master.passwd completely, they learn from this file about the user's id, its
group id, class, home dir and the shell implementation itself. Disc quotas mechanism
is based on UIDs and GIDs, file access permissions and every executable depend on
UID, GID. Many things depend on the user's class. All the utilities call getpwent
and/or getgrent for this purposes, PAM knows nothing about it. At least, I found
nothing related to it in PAM documentation.
What I cannot do with PAM is to bind the user with this information. I don't want to
use /etc/passwd for my customers because I have many servers with different services
including UNIX accounts.
In other words, if FreeBSD supported NIS+, I'd use it probably. But I prefer to use
a database's table for it, because the same database would have other tables with
information about the same user's dial-up permissions, statistics, IP access-lists,
contracts, payments etc. And, of course, all those tables are the one single
relation. ISP staff members can have different access rights to this database.
Someone can add/delete/modify the contract information, some more technical person
can change access lists or passwords, someone can fetch the statistics. All with the
database integrity guaranteed.
Am I wrong and PAM has callbacks reporting about UNIX user's capabilities which are
usually in /etc/passwd?
--
Konstantin V. Chuguev. System administrator of Southern
http://www.urc.ac.ru/~joy/ Ural Regional Center of FREEnet,
mailto:joy@urc.ac.ru Chelyabinsk, Russia.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36B7F0C2.4FE4FAB5>