[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Using PAM to ease load, add access control to NIS



While on another list, and discussing NIS and the load it creates, I had
a thought:

I learned on this list the other day that PAM/pwdb checks the first
entry in those bunches, and if the user doesn't exist there, doesn't go
on (right?). 

So, does that mean it would be possible to maintain a regular
/etc/passwd file of the kind kept on shadow systems (ie with x'd or *'d
passwords), and rewrite the pwdb.conf to say unix+nis, in order to make
simple things like uid<->username lookups not have to call the yp
server?

It seems like if this was possible, there'd be both a con and a pro to
it:

Con: You'd have to distribute /etc/passwd files, which would lead some
to say "Let's just rdist the actual password file and be done with it."

However, you'd only have to send out a new one when accounts were
added/deleted, as opposed to every time someone changed their password.

Pro: If this worked out like I think, it seems like you'd be able to
have one giant NIS space, and then tailor each machine to only allow
certain users on by only giving certain users /etc/password entries. 

This wouldn't be perfect, however, until everything was pamified and
nothing was calling the builtin code in libc, since the libc code
wouldn't respect this... It would say "oh, no entry in the password
file, ok, that means I look to NIS."

So, am I on the right track with this?

jim
jhebert@compu-aid.com

PS I got a thread going on the (newly created) redhat-isp-list about
NIS's load... I'm investigating the part of it here and intend to post a
summary there. Thanks!



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []