[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Does PAM support virtual users?



On Mon, Dec 07, 1998 at 09:18:18AM +0000, Jochen Wiedmann wrote:
> > Consider using a name-service-switch module, like nss_ldap. In my personal
> > experience with a web-hosting environment, it works very nice and clean,
> > with absolutely *no* custom code at all.
> 
> What's a name-service-switch module? Something similar to PAM? If so, could
> you please give me pointers?

Under glibc, what happens when an application calls functions like
getpwnam() and getpwuid() etc. is entirely configurable.  Under the
covers, glibc calls a series of modules in much the same way libpam
does.  Just which modules are queried is configured in /etc/nsswitch.conf.
The glibc info pages on the Name Service Switch are very helpful here.

Lots of people have been bouncing around the idea of combining a good
NSS module setup with PAM to handle authentication on networks that
may be too big for other solutions to be practical.  I guess LDAP with
some kind of load-balancing is a front-runner here.

> > Also, drop the idea of "virtual" users. Use real users, with a namespace
> > large enough to support it.
> 
> I see no advantages with real users. I have to care for /etc/passwd, for
> /etc/shadow, I have to care for UID's. In my experience all these things
> seem to be dangerous and error prone. What disadvantages do you see?

If you don't use the nss_files module, you don't have to worry about the
files in /etc, because NSS modules can access information from their own
sources in their own way.  The module from OpenLDAP, IIRC, retrieves
user information via an LDAP server.  As long as there are no collisions
in your user name and uid spaces, everything works pretty well.

The disadvantage of "virtual" users is that I can't see any way to do it
withouth hacking each program that needs to support them one by one.  The
Name Service Switch is a more systematic way to take care of it.  You still
have to manage UIDs, but if virtual users will ever own files, they'll
need them anyway because filesystems only store UIDs and GIDs, not names.
And as I think you're suggesting this as an option for sendmail, I don't
think not having UIDs is an option for spool files.

Forcing multiple users to the same UID is also a problem because there's
no way to get the name back based on just the UID, which I suspect most
software will want to do at some time or another.

Cheers,

Nalin



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []