From owner-freebsd-current@FreeBSD.ORG Mon Dec 1 09:18:20 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDF7416A4CE; Mon, 1 Dec 2003 09:18:20 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F65743FBF; Mon, 1 Dec 2003 09:17:09 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9p2/8.12.9) with ESMTP id hB1HENMg050877; Mon, 1 Dec 2003 12:14:23 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)hB1HENVA050874; Mon, 1 Dec 2003 12:14:23 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Mon, 1 Dec 2003 12:14:23 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE cc: "Jacques A. Vidrine" cc: freebsd-current@FreeBSD.org Subject: Re: NSS and PAM X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2003 17:18:21 -0000 On Mon, 1 Dec 2003, Dag-Erling Sm=F8rgrav wrote: > "Jacques A. Vidrine" writes: > > By `the two', do you mean directory services and authentication? They > > are certainly not `essentially one'. But I suspect you know this and > > I am just misunderstanding your meaning. >=20 > They are different issues, but in this context you can't discuss one > without the other. Authentication doesn't work unless you have a user > to authenticate. It makes no sense to separate them; you just end up > duplicating a lot of concepts and code.=20 >=20 > Also, is changing your password an authentication function or a > directory function? I don't think you can answer either without > answering both.=20 It strikes me that there are two separate issues: (1) Whether or not there's a useful distinction between authentication services and directory services. (2) If there is or isn't such a distinction in (1), whether or not that distinction should appear in the implementation. In practice, people frequently mix and match authentication services and directory services, and there are services that implement one but not the other. For example, Kerberos5 for authentication an LDAP for directory services is a common combination: however, Kerberos doesn't provide directory services, only principal authentication. Likewise, even on purely local systems, the account directory services (pwent, et al) may be distinct from principal authentication using one-time passwords, etc. I'm not opposed to the fundamental idea of combining mechanism, but there are some practical underlying differences between directory services and authentication, even though there's clear overlap.=20 Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research