Date: Wed, 21 Jul 1999 18:22:39 +0000 From: Niall Smart <niall@pobox.com> To: Oscar Bonilla <obonilla@fisicc-ufm.edu> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: PAM & LDAP in FreeBSD Message-ID: <37960FEF.E6DBD6C0@pobox.com> References: <199907201520.LAA29350@cs.rpi.edu> <Pine.BSF.4.10.9907210141030.41996-100000@morden.rebel.net.au> <19990721094711.C1520@fisicc-ufm.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
[ CC list nuked ] > Ok, here goes my understanding of how things should be, please correct me > if i'm wrong. > > There are three parts to the problem: > > 1. Where do we get the databases from? I mean, where do we get passwd, group, > hosts, ethers, etc from. > > This should be handled by a name service switch a la solaris. Basically > we want to be able to tell the system for each individual database where > to get the stuff from. We can add entries for each database in the system. Not so much as "where do we get the databases from" as "which databases hold data for this particular service". For example DNS can store information for the hosts service (i.e. nameserver service) but could also store crytographic keys which could be used for as host keys for ssh for example. The service has a standard API (gethostbyname() for example, or getpwnam()) which can search through multiple disparate database types. (I may be mixing my terminology up here, it may be more conventional to say "which services support this database", where the database might be a load of struct pw for example, but hopefully its clear I mean) Each particular database type might have its own configuration file. Taking the "hosts" service for example, the configuration file for the DNS database is /etc/resolv.conf and there is no configuration for the files database (which uses /etc/hosts) > 2. How to authorize the user? I mean, what sort of authentication should we > use to decide if the user should be allowed in. > > This should be handled by PAM. Yes, although login programs would require that a) getpwnam returns non-NULL and b) pam_authenticate returns PAM_SUCCESS. > 3. What password hash should we use when we have the username and the > password hash? > > This should be handled by the new modularized crypt. This is a function of the pam_unix module, a PAM module can use smartcards, retina scanners, body odour detectors etc etc, so it may not use password hashes at all. Each PAM module may have its own configuration file to tell it which serial port the smartcard reader is on for example. Regards, Niall To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37960FEF.E6DBD6C0>