On 03/30/13 15:18, Samuel J. Greear wrote:
I think the cleanest solution is to compile in a pam module to kick auth requests to an auth daemon that is capable of loading nss modules (or even other pam modules). That said, I have neither verified that this is absolutely possible within the constraints of the NSS API, nor do I intend to be the one doing the work, not having any pressing need for NSS myself.
Reflecting more - I think it's impossible to have a solution that fits both needs - E.g.: - dynamic support for key system routines is required for dynamic sources of data - static support for key system routines rules out dynamic sources of data so either you have to introduce something 'dynamic' (which removes the 'safety' of static) or you leave it static, which rules out 'dynamic' So I agree the 'auth daemon' approach is probably the cleanest because it allows a way have a 'controlled escape' into (e.g. static level of) 'dynamic lookup' but, that leaves poor franceois out in the cold w/r/t ldap + KRB :D Maybe a build flag is a happy medium until someone can 'do it right'? Cheers, - Chris
