centralized auth and nsswitch.conf
Richard Coleman
richardcoleman at mindspring.com
Thu Jul 24 10:39:02 PDT 2003
Peter da Silva wrote:
One simple way to achieve this is to support nsswitch.conf and have
LDAP support as one of the available switches.
For compatibility, I guess.
The native name server would be accessed through messages and hide
as much of this complexity as possible from the application.
That's the reason I'm hoping this problem will be given some thought.
What is happening now, is that tons of applications are building in
their own support for some type of centralized authentication or
directory lookup. Look at all the configure options for sendmail,
postifix, sasl, mozilla, etc. to add LDAP support to look up information.
I guess I've got this on the top of my mind since I've been doing some
design work on FreeBSD to do centralized authentication and single
sign-on. The number of alternatives is very large, and all require alot
of integration to make work. Some of the choices you immediately hit are:
0. Do you use the old school method (rsync passwords, whatever)?
1. Do you use PAM, native LDAP, or native Kerberos funtionality?
2. Pam can internally call LDAP (pam_ldap) or Kerberos (pam_kbr5).
3. Kerberos can store its data in an LDAP server (patches to Heimdal).
4. Your LDAP server can do native authentication, Kerberos, or SASL.
5. SASL can do native database(sasldb2), use Kerberos, call an LDAP
server, or use PAM.
6. Etc. The options go into a weird recursive loop.
Richard Coleman
More information about the Kernel
mailing list