Bind update

David Rhodus drhodus at catpa.com
Sat Nov 22 19:35:16 PST 2003


Richard Coleman wrote:

Most people don't really care whether / is dynamic or static.  They 
just want NSS to work correctly.  Or more accurately, they want their 
centralized authentication to work correctly.

It has become very common to implement centralized authentication 
using LDAP (or mysql).  I've done this in several large projects for 
my previous employer (large web hosting company).  It's harder than it 
sounds.  If not done correctly, lots of little things do not work 
quite right (accounting file, or seeing uid in "ls" listing rather 
than username).

The most expedient method is dynamically linking in the correct NSS 
resolver.  Other methods are possible (static resolver talking to 
resolver daemon).  But with these other methods, I wonder how we can 
get all the third party PAM and NSS modules working.  There are lots 
of them, and most assume the dynamic library method.


Right! Your statement about having to try and make all of this cruff 
work correctly is what I've
seen too many times. This is why I'm not sure NSS will help anything, 
most likely add more cruff
that has no synchronization boundary defined. One of the things we'll be 
doing in DragonFly
is to replace PAM/NSS with something much cleaner and efficient. Most of 
the protection
domains defined by these mechanisms are questionable for many reasons 
not just the added
complexly wrapped around them. As I've been working on some of the 
shared messaging
protocol code the past few days, I've found my self thinking about how 
to work in a clean
implementation of some rendezvous type code, which leads me back to the 
thought of how
we will be doing a lookupd type system in DragonFly. Which at that point 
we'll be able
to sit aside PAM/NSS, as they are in my book completely useless anyways. 
Anymore,
when I'm asked to implement a centralized authentication system using 
anything LDAP / MySQL
or anything, I'll spend the first day writing a User Account Management 
System for which
everything will use a custom client defined for the system type to 
authenticate off of the DB system.
I've been extremely successful is using a custom authentication method 
across various platforms, HPUX solaris, BSD, linux, AIX, etc.. than 
trying to make a PAM/NSS setup work.

-DR






More information about the Kernel mailing list