From owner-freebsd-hackers  Thu Jul 22  7: 0:25 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from rebel.net.au (rebel.rebel.net.au [203.20.69.66])
	by hub.freebsd.org (Postfix) with ESMTP id 10CDC14D44
	for <hackers@freebsd.org>; Thu, 22 Jul 1999 07:00:13 -0700 (PDT)
	(envelope-from kkenn@rebel.net.au)
Received: from 203.20.69.80 (dialup-10.rebel.net.au [203.20.69.80])
          by rebel.net.au (8.8.5/8.8.4) with ESMTP
	  id XAA25266 for <hackers@freebsd.org>; Thu, 22 Jul 1999 23:28:05 +0930
Received: (qmail 32904 invoked from network); 22 Jul 1999 13:58:19 -0000
Received: from localhost (kkenn@127.0.0.1)
  by localhost with SMTP; 22 Jul 1999 13:58:19 -0000
Date: Thu, 22 Jul 1999 23:28:19 +0930 (CST)
From: Kris Kennaway <kkenn@rebel.net.au>
Reply-To: kkenn@rebel.net.au
To: "Daniel C. Sobral" <dcs@newsguy.com>
Cc: hackers@freebsd.org
Subject: Re: PAM & LDAP in FreeBSD
In-Reply-To: <3795EEB9.1A21EEA@newsguy.com>
Message-ID: <Pine.BSF.4.10.9907222321000.42616-100000@morden.rebel.net.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 22 Jul 1999, Daniel C. Sobral wrote:

> Oscar Bonilla wrote:
> > 
> > There are three parts to the problem:
> > 
> > 1. Where do we get the databases from? I mean, where do we get passwd, group,
> >    hosts, ethers, etc from.
> > 
> >    This should be handled by a name service switch a la solaris. Basically
> >    we want to be able to tell the system for each individual database where
> >    to get the stuff from. We can add entries for each database in the system.
> 
> I perceive here an unfair biasing toward nss. Someone mentioned
> defining where to get the passwords from based on the login class.

Not quite, if you're talking about me - I use login.conf to tell passwd(1)
what hash algorithm to use for new account passwords.

login.conf isn't applicable for where to get passwords from; you need to
already know the user name (and presumably the entire struct passwd) to
know what login class they're in.

What does make sense is to be able to configure where getpwent() and
friends go to get the struct passwd in the first place; whether from
/etc/[s]pwd.db, a LDAP server, etc. This could either be done by teaching
getpwent() how to interface with more and more backends, or by a config
file which (effectively) swaps between entirely different getpwent()
functions (one which talks to spwd.db, one which talks LDAP, etc). This is
the nsswitch.conf route.

Kris

> This is a very interesting option, that doesn't seem to be well
> served by nss.
> 
> --
> Daniel C. Sobral			(8-DCS)
> dcs@newsguy.com
> dcs@freebsd.org



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message