Date: Mon, 01 Dec 2003 17:48:22 +0100 From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) To: "Jacques A. Vidrine" <nectar@FreeBSD.org> Cc: freebsd-current@freebsd.org Subject: Re: NSS and PAM Message-ID: <xzp7k1geb6x.fsf@dwp.des.no> In-Reply-To: <20031201142737.GC99428@madman.celabo.org> (Jacques A. Vidrine's message of "Mon, 1 Dec 2003 08:27:37 -0600") References: <20031129011334.GC88553@madman.celabo.org> <xzpbrqw7xsb.fsf@dwp.des.no> <20031201142737.GC99428@madman.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Jacques A. Vidrine" <nectar@FreeBSD.org> writes: > By `the two', do you mean directory services and authentication? They > are certainly not `essentially one'. But I suspect you know this and > I am just misunderstanding your meaning. They are different issues, but in this context you can't discuss one without the other. Authentication doesn't work unless you have a user to authenticate. It makes no sense to separate them; you just end up duplicating a lot of concepts and code. Also, is changing your password an authentication function or a directory function? I don't think you can answer either without answering both. > I guess I think of it this way. If NSS had not been implemented > `down in the mud' (inside getpw*, getgr*, gethostby*, etc.), then > applications that used the UNIX directory service APIs would need to > be re-written in order to utilize NSS. That's a lot of code to change > for little benefit. Backward compatibility is fine, but NSS does not seem to export an API that we can use when we want to lift ourselves out of the mud, so we are forced to keep rooting around in it. One consequence of this (and of the artificial separation between NSS and PAM) is that passwd(1) doesn't work properly except in the simplest cases. > If I understand you correctly, you believe that it would be possible > to unite the NSS and PAM switches, so that they used the same > configuration file, dynamic loading mechanisms, cascading, and so > on. Sure, I think that's possible. There might even be some benefit, > though probably not enough benefit to abandon PAM/NSS and go our own > way. Not to go our own way, no. There's the rub. It would have to be a reasonably wide effort; we'd need to get at least one major Linux distro to adopt the same infrastructure. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzp7k1geb6x.fsf>