Gary Winiger wrote: > I believe an EXAMPLES section with the examples in the > proposal would help here.
I'll make sure the project team delivers the man page like that. >> ATTRIBUTES >> See attributes(5) for descriptions of the following attri- >> butes: >> >> ____________________________________________________________ >> | ATTRIBUTE TYPE | ATTRIBUTE VALUE | >> |_____________________________|_____________________________| >> | Interface Stability | Evolving | > ^^^^^^^^ > Committed >> 1. Background >> ------------- > >> If you have complex netgroups and use them with passwd compat mode then >> there can be a noticeable and significant delay on every getpw*() call. >> This is due to the need to walk the netgroup to find the user, this is >> made worse because netgroups are not cached by nscd (but that is a >> story for another day). > > Is this project still needed? Sparks is planned for the next > update release of S10. Shouldn't it handle the performance > issues noted here? Yes because this isn't just about the performance problem but also about using the proper interface for access to the system, ie PAM not abusing the nameservice. >> 2. Proposal >> ----------- > >> This is deliberately a file on the local host rather than something >> held in LDAP against the user or host. There are other means for >> restricting authentication when pam_ldap is used, these based on the >> capabilities of the LDAP server and are sometimes specific to a given >> LDAP server. > > I'm confused with what point is being made. LDAP is a name > service and can serve up name service requests such as > getpwent(), getnetrent(), ... pam_ldap(5) is a PAM service > module that coerces an LDAP style directory service into > an account authority. > But you know that, thus my confusion. PAM is what should be used to control access to a given system, this case provides a module to do that with the data stored in a local file. If you are using pam_ldap your directory server may give you a way to achieve a similar result. This is LDAP the Account Authority. For LDAP the nameservice using the compat syntax provided by nsswtich is an abuse since one should be using PAM to control access to the system - that way the correct entries get written in the audit log, ie permission denied rather than account not found or worse authencation was okay but the shell is /bin/false. >> There is also purposely no admin command, the customers requesting >> this functionality want a raw file as that is what they already use >> on Linux or on Solaris with the existing open source module. > > IMO, this is an excuse for not providing a properly auditable > administrative interface and not a reason. I disagree, we are giving the customers what they want and what they need. I agree it doesn't provide an easily audited admin interface but the funding just isn't there to provide that capability and we really can't hold of providing this simple module any longer our customers are already really really annoyed it has taken us so long to do so. -- Darren J Moffat
