[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: GDBM/DB password file support

On Thu, 10 Oct 1996, Aleph One wrote:

> This is starting to look very ugly. So now to select an authentication
> method we have to configure what 3 files?
> /etc/pam.conf
> /etc/nsswitch.conf
> /etc/pwdb.conf

Actually, two. nsswitch is ignored completely.

> PAM was not only supposed to make things modular and pluggable must also
> centralized. Why should the pam_unix module be able to do RADIUS
> authentication?

It is not supposed to do RADIUS authetication. A separate radius module 
will (and is) the best idea. I am writting it. But there is a possibility 
for the admin to have a 'merged' environment for user auth/session. And 
different modules _can_ cooperate now for managing the user datasources 
through the libpwdb.

> Even NIS and shadow are questionable.

No, they are not. I agree with RADIUS, but I tend to say that NIS and 
shadow are more 'natural'. IMHO it is better to have a more complex 
module (and now with libpwdb there is a simple matter of calling 
pwdb_locate for different datasources), than to _duplicate_ pam-unix into 
a pam_nis, pam_shadow, etc. just think at the maintainability of this 
kind of setup - you change/correct something in pam_unix, then go for the 
same thing in pam_nis, pam_shadow, etc. Without libpwdb, pam_unix looks 
ugly, I agree, because it have to know about a lot of things. Now we have 
taken the datasources related code into libpwdb and pam_unix got _so_ 
clean. Now you write something like:

	if (on(SHADOW_ARG))
	if (on(NIS_ARG))

The code looks nice and clean :-) [Note: actually the calls to 
pwdb_locate have a slightly different form, but you get the idea)]

> All this different
> systems should be merged into one. PAM. Yes the there is a lot of code
> sahred between the unix, shadow, nis, and radious modules. But dont make a
> single module that selects on the fly what method to use!

No, it selectes what _you- are telling him to select. That's why you have 
arguments to modules in /etc/pam.conf. We have tried to make libpwdb a 
little more generic than for the sole use within PAM project - that's why 
/etc/pwdb.conf file showed up. But in fact within PAM project is possible 
to ignore the /etc/pwdb.conf file and tell the library functions directly 
what datasources to use. But to get this level of flexibility, other 
applications should use libpwdb outside PAM (ie login). And hence the 
need for _optional_ /etc/pwdb.conf. Once again, if the application knows 
what it is doing, it may supply directly the datasource types to the 
libpwdb functions. If the application is meant to be generic, it will call 
libpwdb functions with default datasource type and the pwdb library will 
look into /etc/pwdb.conf, thus the application can be customized through 
/etc/pwdb.conf settings. Is that clear enough ? :-)

> Write a library
> so share the code, and compile the modules separetly. If I want NIS I'll
> add the pam_nis module to pam.conf. Thanks.

... If you want NIS you will add 'nis' arg to pam_unix module. Thanks. :-)

With best regards,

		Cristian Gafton
Cristian Gafton                                    gafton@sorosis.ro
Computers & Communications Center              Network Administrator
35 Moara de Foc St., Iasi 6600, ROMANIA           Tel: +40-32-252938
http://www.cccis.ro                               Fax: +40-32-252933
UNIX is user friendly. It's just selective about who its friends are.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []