On Tue, Aug 12, 2003 at 05:13:29PM +0300, ????? ????? <[EMAIL PROTECTED]> wrote a message of 35 lines which said:
> that, to have the session and etc. things, i need to use the NSS system > (/etc/nsswitch.conf) with the nss-pgsql module, not the PAM stuff Of course, because some functions do not require authentication (the work of PAM) but still requires mappings of name2uid or the opposite. Think of 'ls -l', for instance. The inode of a file stores an uid, not a name. How can ls display a name? Because it calls getpwuid(3), which in turn relies on NSS. (Try it: once logged in, shut down your LDAP server - and the nscd if it exists. Then, 'ls -l ~'.) > e.g. you practically can't make ssh to authenticate diretctly from > database, without the help of something like /etc/passwd (you need > the UID, homedir, etc. info). No, no, and no. You can have a ssh authentication without anything in /etc/passwd. You need NSS, true (sshd looks up to see if the user name exists, before attempting authentication, and so getpwnam(3) must succeed) but not /etc/passwd if PAM and NSS both use LDAP. > So, my question is, am I wrong, or you always have to use the NSS > modules? In practice, yes, using Unix without NSS is too painful (think about ps, ls, id, etc). > If so, why there is pam, if you can use NSS, PAM does a lot of things that NSS does not do. NSS only manages mappings. PAM can create directories, forces you to use two or more authentication methods, etc. So, in practice, you typically need both PAM and NSS. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
