On Sat, Nov 29, 2003 at 02:01:02PM +0100, Matthias Andree wrote:
Jacques A. Vidrine [EMAIL PROTECTED] writes:
NSS and PAM do not overlap.
I wonder how PAM gets system authentication information for pam_pwdb
or pam_unix or how it's called today and on the pertinent system if not
through NSS
execution as an
FSM) and cleaned up the configuration syntax, you'd end up with
something quite nice.
If I understand you correctly, you believe that it would be possible
to unite the NSS and PAM switches, so that they used the same
configuration file, dynamic loading mechanisms, cascading, and so
to change
for little benefit.
Backward compatibility is fine, but NSS does not seem to export an API
that we can use when we want to lift ourselves out of the mud, so we
are forced to keep rooting around in it. One consequence of this (and
of the artificial separation between NSS and PAM
On Mon, 1 Dec 2003, Dag-Erling Smørgrav wrote:
Jacques A. Vidrine [EMAIL PROTECTED] writes:
By `the two', do you mean directory services and authentication? They
are certainly not `essentially one'. But I suspect you know this and
I am just misunderstanding your meaning.
They are
On Mon, 2003-12-01 at 11:48, Dag-Erling Smrgrav wrote:
If I understand you correctly, you believe that it would be possible
to unite the NSS and PAM switches, so that they used the same
configuration file, dynamic loading mechanisms, cascading, and so
on. Sure, I think that's possible
has a generic nsdispatch(3) that allows for new applications, but I'm
not sure that is what you mean. At any rate, it is not `NSS' proper, it
is an implementation detail.
One consequence of this (and
of the artificial separation between NSS and PAM) is that passwd(1)
doesn't work properly except
Jacques A. Vidrine [EMAIL PROTECTED] writes:
Hmm, I disagree completely. :-) [...]
You are bringing authorization into the fray... we're talking about
directory services (retrieving information about a user) and
authentication (identifying someone as that user), not authorization.
Also, is
On Mon, 01 Dec 2003 23:24:40 +0100, [EMAIL PROTECTED] (Dag-Erling
=?iso-8859-1?q?Sm=F8rgrav?=) said:
The problem is that the authentication information needs to be stored
somewhere, and the usual solution is to store it in the directory,
...which is usually the worst possible place. Please
Garrett Wollman [EMAIL PROTECTED] writes:
On Mon, 01 Dec 2003 23:24:40 +0100, [EMAIL PROTECTED] (Dag-Erling
=?iso-8859-1?q?Sm=F8rgrav?=) said:
The problem is that the authentication information needs to be stored
somewhere, and the usual solution is to store it in the directory,
...which
.
What exactly is your sensible authentication system?
Why is the directory usually the worst for storing
authentication information?
What do you think are the correct fracture points and
how do they relate to the existing PAM/NSS frameworks?
Tim
. But this arrangement allows traditional APIs to work reasonably
--- and you can layer PAM and NSS on top of it as compatibility APIs.
--
brandon s. allbery[linux,solaris,freebsd,perl] [EMAIL PROTECTED]
system administrator [WAY too many hats][EMAIL PROTECTED]
electrical
why does /bin/sh need NSS support?
Jacques A. Vidrine wrote:
[Threading intentionally broken.]
On Sat, Nov 29, 2003 at 01:16:25AM +0100, Dag-Erling Sm?rgrav wrote:
Jacques A. Vidrine [EMAIL PROTECTED] writes:
NSS and PAM do not overlap. They are complimentary and one cannot do
the job
might discuss if PAM is really
needed with NSS in place, but it's hard to think of a system without
NSS and removing PAM now doesn't look right.
NSS and PAM do not overlap.
I wonder how PAM gets system authentication information for pam_pwdb
or pam_unix or how it's called today
Richard Coleman [EMAIL PROTECTED] writes:
Replacing passwd/group/NSS/PAM/whatever with a real database or
directory backend is a kind of holy grail for Unix that's been
discussed for many years.
You're mixing apples and oranges here. NSS and PAM are not backends
in themselves
slave-mike [EMAIL PROTECTED] writes:
why does /bin/sh need NSS support?
Because /bin/sh uses getpwnam(). We've been through this before.
DES
--
Dag-Erling Smørgrav - [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
slave-mike wrote:
why does /bin/sh need NSS support?
1. If you are using pam_ldap, tilde expansion will be broken in /bin/sh
without nss_ldap support.
2. Tilde expansion is required for POSIX conformance.
It's not the strongest rationale. But it's something to consider.
Richard Coleman
[EMAIL
Jacques A. Vidrine [EMAIL PROTECTED] writes:
NSS and PAM do not overlap. They are complimentary and one cannot do
the job of the other.
That is a bug in NSS, PAM or both.
(BTW, I think you mean that they are complementary, not complimentary,
although it is certainly true that some
[Threading intentionally broken.]
On Sat, Nov 29, 2003 at 01:16:25AM +0100, Dag-Erling Smørgrav wrote:
Jacques A. Vidrine [EMAIL PROTECTED] writes:
NSS and PAM do not overlap. They are complimentary and one cannot do
the job of the other.
That is a bug in NSS, PAM or both.
Interesting
Jacques A. Vidrine [EMAIL PROTECTED] writes:
Interesting. Explain, please. (Maybe privately or in another thread;
hate to keep this'n going.) Perhaps you mean that it is a design flaw
that two APIs are required. If so, I happen to disagree; I think that
the separation of directory services
.
DES
Replacing passwd/group/NSS/PAM/whatever with a real database or
directory backend is a kind of holy grail for Unix that's been discussed
for many years. I would love to see it happen. But I doubt it could
ever happen within a collaborative project like FreeBSD, since it would
in place, but it's hard to think of a system without
NSS and removing PAM now doesn't look right.
NSS and PAM do not overlap. They are complimentary and one cannot do
the job of the other.
Cheers,
--
Jacques Vidrine NTT/Verio SME FreeBSD UNIX Heimdal
[EMAIL PROTECTED] [EMAIL
or
PostgreSQL for user base management. PAM is only halfway there and
doesn't give libc et al. a notion of a user or group context (in spite
of its account context), NSS does. One might discuss if PAM is really
needed with NSS in place, but it's hard to think of a system without
NSS and removing PAM
On Wed, Nov 26, 2003 at 02:00:08AM +0100, Matthias Andree wrote:
As a user, I like /rescue better than the step-child that /stand/* used
to be. It's part of the world, which /stand wasn't.
Except that we still have /stand. It should be shot, but some won't let
it go...
On Tue, 25 Nov 2003, David O'Brien wrote:
On Wed, Nov 26, 2003 at 02:00:08AM +0100, Matthias Andree wrote:
As a user, I like /rescue better than the step-child that /stand/* used
to be. It's part of the world, which /stand wasn't.
Except that we still have /stand. It should be shot, but
24 matches
Mail list logo
