Bind update
David Rhodus
drhodus at catpa.com
Sat Nov 22 19:35:16 PST 2003
Richard Coleman wrote:
Most people don't really care whether / is dynamic or static. They
just want NSS to work correctly. Or more accurately, they want their
centralized authentication to work correctly.
It has become very common to implement centralized authentication
using LDAP (or mysql). I've done this in several large projects for
my previous employer (large web hosting company). It's harder than it
sounds. If not done correctly, lots of little things do not work
quite right (accounting file, or seeing uid in "ls" listing rather
than username).
The most expedient method is dynamically linking in the correct NSS
resolver. Other methods are possible (static resolver talking to
resolver daemon). But with these other methods, I wonder how we can
get all the third party PAM and NSS modules working. There are lots
of them, and most assume the dynamic library method.
Right! Your statement about having to try and make all of this cruff
work correctly is what I've
seen too many times. This is why I'm not sure NSS will help anything,
most likely add more cruff
that has no synchronization boundary defined. One of the things we'll be
doing in DragonFly
is to replace PAM/NSS with something much cleaner and efficient. Most of
the protection
domains defined by these mechanisms are questionable for many reasons
not just the added
complexly wrapped around them. As I've been working on some of the
shared messaging
protocol code the past few days, I've found my self thinking about how
to work in a clean
implementation of some rendezvous type code, which leads me back to the
thought of how
we will be doing a lookupd type system in DragonFly. Which at that point
we'll be able
to sit aside PAM/NSS, as they are in my book completely useless anyways.
Anymore,
when I'm asked to implement a centralized authentication system using
anything LDAP / MySQL
or anything, I'll spend the first day writing a User Account Management
System for which
everything will use a custom client defined for the system type to
authenticate off of the DB system.
I've been extremely successful is using a custom authentication method
across various platforms, HPUX solaris, BSD, linux, AIX, etc.. than
trying to make a PAM/NSS setup work.
-DR
More information about the Kernel
mailing list