On Mon, 2003-12-01 at 21:24, Tim Kientzle wrote:
> Why is the directory "usually the worst" for storing
> authentication information?
This one's fairly easy to answer: you want to stick authentication data
into a potentially public/exposed directory? Even traditional Unix uses
/etc/shadow (or mo
Garrett Wollman wrote:
<
The problem is that the authentication information needs to be stored
somewhere, and the usual solution is to store it in the directory,
...which is usually the worst possible place. Please don't penalize
those of us with sensible authentication systems.
Care to elaborat
Garrett Wollman <[EMAIL PROTECTED]> writes:
> < =?iso-8859-1?q?Sm=F8rgrav?=) said:
> > The problem is that the authentication information needs to be stored
> > somewhere, and the usual solution is to store it in the directory,
> ...which is usually the worst possible place. Please don't penalize
< The problem is that the authentication information needs to be stored
> somewhere, and the usual solution is to store it in the directory,
...which is usually the worst possible place. Please don't penalize
those of us with sensible authentication systems.
-GAWollman
"Jacques A. Vidrine" <[EMAIL PROTECTED]> writes:
> Hmm, I disagree completely. :-) [...]
You are bringing authorization into the fray... we're talking about
directory services (retrieving information about a user) and
authentication (identifying someone as that user), not authorization.
> > Al
t of the mud, so we
> are forced to keep rooting around in it.
What's an example of what you mean? The BSD nsswitch implementation
has a generic nsdispatch(3) that allows for new applications, but I'm
not sure that is what you mean. At any rate, it is not `NSS' proper, it
i
On Mon, 2003-12-01 at 11:48, Dag-Erling SmÃrgrav wrote:
> > If I understand you correctly, you believe that it would be possible
> > to unite the NSS and PAM switches, so that they used the same
> > configuration file, dynamic loading mechanisms, cascading, and so
> > o
On Mon, 1 Dec 2003, Dag-Erling Smørgrav wrote:
> "Jacques A. Vidrine" <[EMAIL PROTECTED]> writes:
> > By `the two', do you mean directory services and authentication? They
> > are certainly not `essentially one'. But I suspect you know this and
> > I am just misunderstanding your meaning.
>
> T
eed to
> be re-written in order to utilize NSS. That's a lot of code to change
> for little benefit.
Backward compatibility is fine, but NSS does not seem to export an API
that we can use when we want to lift ourselves out of the mud, so we
are forced to keep rooting around in it. On
wrong with it today could be fixed by
> redesigning it to include directory services. If you fixed the
> conversation system (by formalizing service function execution as an
> FSM) and cleaned up the configuration syntax, you'd end up with
> something quite nice.
If I understand you
On Sat, Nov 29, 2003 at 02:01:02PM +0100, Matthias Andree wrote:
> "Jacques A. Vidrine" <[EMAIL PROTECTED]> writes:
> > NSS and PAM do not overlap.
>
> I wonder how PAM gets "system" authentication information for pam_pwdb
> or pam_unix or how it'
slave-mike wrote:
why does /bin/sh need NSS support?
1. If you are using pam_ldap, tilde expansion will be broken in /bin/sh
without nss_ldap support.
2. Tilde expansion is required for POSIX conformance.
It's not the strongest rationale. But it's something to consider.
Richard Coleman
[EMAIL
slave-mike <[EMAIL PROTECTED]> writes:
> why does /bin/sh need NSS support?
Because /bin/sh uses getpwnam(). We've been through this before.
DES
--
Dag-Erling Smørgrav - [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mai
Richard Coleman <[EMAIL PROTECTED]> writes:
> Replacing passwd/group/NSS/PAM/whatever with a real database or
> directory backend is a kind of holy grail for Unix that's been
> discussed for many years.
You're mixing apples and oranges here. NSS and PAM are not backend
and
>> doesn't give libc et al. a notion of a user or group context (in spite
>> of its "account" context), NSS does. One might discuss if PAM is really
>> needed with NSS in place, but it's hard to think of a system without
>> NSS and removing PAM now doesn
why does /bin/sh need NSS support?
Jacques A. Vidrine wrote:
[Threading intentionally broken.]
On Sat, Nov 29, 2003 at 01:16:25AM +0100, Dag-Erling Sm?rgrav wrote:
"Jacques A. Vidrine" <[EMAIL PROTECTED]> writes:
NSS and PAM do not overlap. They are complimentary and one cann
Dag-Erling Smørgrav wrote:
NSS itself doesn't make much sense to me; it's an elaborate hack
designed to drag all those nice shiny directory services down in the
mud where struct passwd has been wallowing for the past twenty years,
instead of allowing applications to take advantage of their superior
"Jacques A. Vidrine" <[EMAIL PROTECTED]> writes:
> Interesting. Explain, please. (Maybe privately or in another thread;
> hate to keep this'n going.) Perhaps you mean that it is a design flaw
> that two APIs are required. If so, I happen to disagree; I think that
> the separation of directory s
[Threading intentionally broken.]
On Sat, Nov 29, 2003 at 01:16:25AM +0100, Dag-Erling Smørgrav wrote:
> "Jacques A. Vidrine" <[EMAIL PROTECTED]> writes:
> > NSS and PAM do not overlap. They are complimentary and one cannot do
> > the job of the other.
>
&
"Jacques A. Vidrine" <[EMAIL PROTECTED]> writes:
> NSS and PAM do not overlap. They are complimentary and one cannot do
> the job of the other.
That is a bug in NSS, PAM or both.
(BTW, I think you mean that they are complementary, not complimentary,
although it is ce
ount" context), NSS does. One might discuss if PAM is really
> needed with NSS in place, but it's hard to think of a system without
> NSS and removing PAM now doesn't look right.
NSS and PAM do not overlap. They are complimentary and one cannot do
the job of the other.
C
On Tue, 25 Nov 2003, David O'Brien wrote:
> On Wed, Nov 26, 2003 at 02:00:08AM +0100, Matthias Andree wrote:
> > As a user, I like /rescue better than the step-child that /stand/* used
> > to be. It's part of the world, which /stand wasn't.
>
> Except that we still have /stand. It should be shot
On Wed, Nov 26, 2003 at 02:00:08AM +0100, Matthias Andree wrote:
> As a user, I like /rescue better than the step-child that /stand/* used
> to be. It's part of the world, which /stand wasn't.
Except that we still have /stand. It should be shot, but some won't let
it go...
___
Matthew Dillon <[EMAIL PROTECTED]> writes:
> How much do you intend to use NSS for? I mean, what's the point of
> adopting this cool infrastructure if all you are going to do with it
> is make a better PAM out of it?
The important thing is that NSS allows to plug modules such as LDAP
24 matches
Mail list logo