From owner-freebsd-current@FreeBSD.ORG Mon Dec 1 08:49:19 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C540C16A4CE; Mon, 1 Dec 2003 08:49:19 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E0DB4401F; Mon, 1 Dec 2003 08:48:35 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 7E0505309; Mon, 1 Dec 2003 17:48:33 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 0D52A5308; Mon, 1 Dec 2003 17:48:22 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id 8534033C7B; Mon, 1 Dec 2003 17:48:22 +0100 (CET) To: "Jacques A. Vidrine" References: <20031129011334.GC88553@madman.celabo.org> <20031201142737.GC99428@madman.celabo.org> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Mon, 01 Dec 2003 17:48:22 +0100 In-Reply-To: <20031201142737.GC99428@madman.celabo.org> (Jacques A. Vidrine's message of "Mon, 1 Dec 2003 08:27:37 -0600") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.1 required=5.0 tests=RCVD_IN_SORBS autolearn=no version=2.60 cc: freebsd-current@freebsd.org Subject: Re: NSS and PAM X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2003 16:49:19 -0000 "Jacques A. Vidrine" writes: > By `the two', do you mean directory services and authentication? They > are certainly not `essentially one'. But I suspect you know this and > I am just misunderstanding your meaning. They are different issues, but in this context you can't discuss one without the other. Authentication doesn't work unless you have a user to authenticate. It makes no sense to separate them; you just end up duplicating a lot of concepts and code. Also, is changing your password an authentication function or a directory function? I don't think you can answer either without answering both. > I guess I think of it this way. If NSS had not been implemented > `down in the mud' (inside getpw*, getgr*, gethostby*, etc.), then > applications that used the UNIX directory service APIs would need to > be re-written in order to utilize NSS. That's a lot of code to change > for little benefit. Backward compatibility is fine, but NSS does not seem to export an API that we can use when we want to lift ourselves out of the mud, so we are forced to keep rooting around in it. One consequence of this (and of the artificial separation between NSS and PAM) is that passwd(1) doesn't work properly except in the simplest cases. > If I understand you correctly, you believe that it would be possible > to unite the NSS and PAM switches, so that they used the same > configuration file, dynamic loading mechanisms, cascading, and so > on. Sure, I think that's possible. There might even be some benefit, > though probably not enough benefit to abandon PAM/NSS and go our own > way. Not to go our own way, no. There's the rub. It would have to be a reasonably wide effort; we'd need to get at least one major Linux distro to adopt the same infrastructure. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no