From owner-freebsd-current@FreeBSD.ORG Thu Dec 4 16:28:20 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 017FD16A4CE; Thu, 4 Dec 2003 16:28:20 -0800 (PST) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8364043FCB; Thu, 4 Dec 2003 16:28:16 -0800 (PST) (envelope-from julian@elischer.org) Received: from interjet.elischer.org ([24.7.73.28]) by comcast.net (rwcrmhc11) with ESMTP id <2003120500281501300mt5h7e>; Fri, 5 Dec 2003 00:28:15 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id QAA45843; Thu, 4 Dec 2003 16:28:14 -0800 (PST) Date: Thu, 4 Dec 2003 16:28:13 -0800 (PST) From: Julian Elischer To: Robert Watson In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE cc: Jacques Vidrine cc: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= cc: freebsd-current@freebsd.org Subject: Re: NSS and PAM X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2003 00:28:20 -0000 On Thu, 4 Dec 2003, Robert Watson wrote: >=20 > On Fri, 5 Dec 2003, Dag-Erling Sm=F8rgrav wrote: >=20 > > Jacques Vidrine writes: > > > Applications that use PAM to change the password when the password > > > expires seem to work out OK. > >=20 > > This works because each backend knows whether or not the password needs > > changing (there is a flag to tell the module to only ask for a new > > password if the current password has expired). When you are purposedly > > changing your password before it expires, things are a little less > > clear.=20 > >=20 > > Things might be easier if NSS had a proper API which included entry > > points for storing and updating user information (and not just for > > retrieving). Then pam_unix wouldn't need to know anything about > > /etc/spwd.db or NIS; it would just retrieve the information from NSS, > > note that the password had expired, ask the user for a new password and > > tell NSS to store it. >=20 > I think I agree pretty strongly with your earlier comment that the curren= t > "struct passwd" is simply insufficient for a lot of the things we'd like > to accomplish. It's good for UNIX app compatibility and home directory > expansion, but it sounds like we need a much stronger notion of "user"=20 > than we currently have. We bump into this in the existing of login.conf, > setusercontext(), and the MAC code. It might be worth digging into > Apple's DirectoryServices, as well as Solaris's roles/etc equivilent. We also desperatly need an interface for opaquely WRITING a password entry into NIS or flatfile or whatever. porting npasswd to freeBSD was a pain in the neck because of this.. Npasswd has a "mpasswd" struct that includes the system's passwd structure but contains a 'per method' pointer and fileds for=20 password expiration etc. as well. The interface needs to also automatically do things like load the login.conf info for the user and the auth.conf info as well. I had to do that all by hand in the npasswd port which was a real annoyance. >=20 > Robert N M Watson FreeBSD Core Team, TrustedBSD Projects > robert@fledge.watson.org Senior Research Scientist, McAfee Research >=20 >=20 > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org= " >=20