[EMAIL PROTECTED]
In-Reply-To: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Excerpts from mail: 14-Jun-96 Re: defining system account..
[EMAIL PROTECTED] (1509*)
> I see no fundamental difference between validating
> users and resolving machine names to IP numbers.
Here Here!
That is the approch Athena followed with our Hesiod server.
For the NON SECURE parts of the passwd file, it's just like a DNS name
to name translation.
Athena hesiod does require a few lines of code in login to dynamically
add and delete the fake passwd file entry to /etc/passwd, but after
that, NO programs needing the non-secure passwd bits need be modified in
any way.
There remains the issue of access control and the user's password which
are the secure parts of a /etc/passwd entry. I like the way MIT did
that too: a SMALL program that communicated with the security server to
answer yea or nay.
It turned out that the primary obstacle to the acceptance of Hesiod was
that sites didn't want to deal with the overhead of stoking a BIND
database from a user account list. MIT does it with a relational
database. Nobody bothered to do it with a lower overhead method.
My personal aesthetic is that any viable central administration system
for user accounts MUST have the ability to allow a local machine to
override the central administration at times. If this is not possible
with DCE, then either it will change or DCE will die.
-wdc
