On Sat, Nov 29, 2003 at 02:45:24AM +0100, Dag-Erling Smørgrav wrote: > "Jacques A. Vidrine" <nectar_at_FreeBSD.org> writes: > > Interesting. Explain, please. (Maybe privately or in another thread; > > hate to keep this'n going.) Perhaps you mean that it is a design flaw > > that two APIs are required. If so, I happen to disagree; I think that > > the separation of directory services and authentication is appropriate > > and necessary. > > No, the two are essentially one. We just think they aren't because > we've been brainwashed to think of users in terms of uids and gids and > especially struct passwd, which deserves to die. By `the two', do you mean directory services and authentication? They are certainly not `essentially one'. But I suspect you know this and I am just misunderstanding your meaning. > NSS itself doesn't make much sense to me; it's an elaborate hack > designed to drag all those nice shiny directory services down in the > mud where struct passwd has been wallowing for the past twenty years, > instead of allowing applications to take advantage of their superior > functionality. I guess I think of it this way. If NSS had not been implemented `down in the mud' (inside getpw*, getgr*, gethostby*, etc.), then applications that used the UNIX directory service APIs would need to be re-written in order to utilize NSS. That's a lot of code to change for little benefit. PAM is different. Applications *had* to be re-written to utilize PAM, because previously there was no real authentication API, just crypt() and strcmp()--- obviously insufficient for many authentication methods :-) > As for PAM, a lot of what's wrong with it today could be fixed by > redesigning it to include directory services. If you fixed the > conversation system (by formalizing service function execution as an > FSM) and cleaned up the configuration syntax, you'd end up with > something quite nice. If I understand you correctly, you believe that it would be possible to unite the NSS and PAM switches, so that they used the same configuration file, dynamic loading mechanisms, cascading, and so on. Sure, I think that's possible. There might even be some benefit, though probably not enough benefit to abandon PAM/NSS and go our own way. Cheers, -- Jacques Vidrine NTT/Verio SME FreeBSD UNIX Heimdal nectar_at_celabo.org jvidrine_at_verio.net nectar_at_freebsd.org nectar_at_kth.seReceived on Mon Dec 01 2003 - 05:27:40 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:32 UTC