Bind update
Richard Coleman
richardcoleman at mindspring.com
Sun Nov 23 07:34:31 PST 2003
Joerg Sonnenberger wrote:
Most people don't really care whether / is dynamic or static. They just
want NSS to work correctly. Or more accurately, they want their
centralized authentication to work correctly.
NSS != authentication. The evil implementation of authentication is PAM.
So summarize the PAM vs. BSD auth discussion on NetBSD:
- BSD auth is simpler
- PAM seems to be pretty standard and platform independent
- the only thing BSD auth can't directly do is the PAG for AFS
- many PAM modules can run with a wrapper
- BSD auth cannot effect the calling process, e.g. by changing random stuff
Well, I was just being sloppy. When I talk about centralized
authentication, I'm actually talking about something more general than
just handling the authentication phase. I want to centralize all
aspects of user/group account management (authentication, authorization,
uid -> username mappings, etc). I imagine this is common for most
sysadmins that want to build such systems.
I've went through the NetBSD archives and read the thread on BSD auth
versus shared libraries, but never found much details on the BSD auth
method. Where can I read about this?
So far, the only working systems I've seen accomplish this are using
dynamic libraries (that's how it's done in both Solaris, Linux, and now
FreeBSD-current). I've never seen anyone actually implement the
alternates that are discussed in a method that solves all the necessary
problems.
Most of the people that argue against this try to convince everyone that
they don't really need those features, and the arguments degenerate from
there.
Richard Coleman
richardcoleman at xxxxxxxxxxxxxx
More information about the Kernel
mailing list