From owner-freebsd-hackers  Mon Jul 19 15:53:54 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from xylan.com (postal.xylan.com [208.8.0.248])
	by hub.freebsd.org (Postfix) with ESMTP id E4A4E14CD5
	for <freebsd-hackers@FreeBSD.ORG>; Mon, 19 Jul 1999 15:53:52 -0700 (PDT)
	(envelope-from wes@softweyr.com)
Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT]))
	id PAA12761; Mon, 19 Jul 1999 15:51:21 -0700 (PDT)
Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB]))
	id PAA03654; Mon, 19 Jul 1999 15:51:07 -0700
Received: from softweyr.com (dyn2.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL]))
	id AA02593; Mon, 19 Jul 99 15:51:13 PDT
Message-Id: <3793ABE0.15090E38@softweyr.com>
Date: Mon, 19 Jul 1999 16:51:12 -0600
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386)
X-Accept-Language: en
Mime-Version: 1.0
To: Mike Smith <mike@smith.net.au>
Cc: "David E. Cross" <crossd@cs.rpi.edu>,
	Oscar Bonilla <obonilla@fisicc-ufm.edu>,
	Dag-Erling Smorgrav <des@flood.ping.uio.no>,
	freebsd-hackers@FreeBSD.ORG
Subject: Re: PAM & LDAP in FreeBSD
References: <199907192111.OAA01326@dingo.cdrom.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Mike Smith wrote:
> 
> > > > > > ldap:*:389:389:o=My Organization, c=BR:uid:ldap.myorg.com
> > > > >
> > > > > Horrible idea.
> > > > >
> > > >
> > > > suggestions?
> > >
> > > Use PAM.
> >
> > PAM isn't going to cut it.  This is outside of its realm.  Things like ps,
> > top, ls, chown, chmod, lpr, rcmd, who, w, (the list goes on) need to be able
> > to pull 'passwd' entries from the LDAP server, and unless we PAM all of those
> > (I think that is a very bad idea), then a person will be able to login but
> > will be dead in the water without a UID <->Username mapping.
> 
> The Linux-PAM folks solved this with their 'libpwdb', which basically
> provides a transport-neutral interface to the whole uid:userdata
> mapping.  Unfortunately, their implementation _reeks_, so nobody has
> touched it yet.
> 
> This is, however, how I think we should be going.

100% agreement here.  This needs to be implemented such that the administrator
configures the box to use local files, or NIS, or LDAP, or whatever as the
source of username information, and both login(1) and ls(1) use the information
as appropriate.  For ls(1) and friends, this means implementing getpwuid(3) (and 
getgrgid(3)) so they "just work."  

The implementation details are as unimportant as ever: they have to work
and be maintainable.  Following prior art remains a good idea; the Solaris
"name service switch" implementation is a good starting point to consider.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
http://softweyr.com/                                           wes@softweyr.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message