On Mon, 1 Dec 2003, Dag-Erling Smørgrav wrote: > "Jacques A. Vidrine" <nectar_at_FreeBSD.org> writes: > > By `the two', do you mean directory services and authentication? They > > are certainly not `essentially one'. But I suspect you know this and > > I am just misunderstanding your meaning. > > They are different issues, but in this context you can't discuss one > without the other. Authentication doesn't work unless you have a user > to authenticate. It makes no sense to separate them; you just end up > duplicating a lot of concepts and code. > > Also, is changing your password an authentication function or a > directory function? I don't think you can answer either without > answering both. It strikes me that there are two separate issues: (1) Whether or not there's a useful distinction between authentication services and directory services. (2) If there is or isn't such a distinction in (1), whether or not that distinction should appear in the implementation. In practice, people frequently mix and match authentication services and directory services, and there are services that implement one but not the other. For example, Kerberos5 for authentication an LDAP for directory services is a common combination: however, Kerberos doesn't provide directory services, only principal authentication. Likewise, even on purely local systems, the account directory services (pwent, et al) may be distinct from principal authentication using one-time passwords, etc. I'm not opposed to the fundamental idea of combining mechanism, but there are some practical underlying differences between directory services and authentication, even though there's clear overlap. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert_at_fledge.watson.org Senior Research Scientist, McAfee ResearchReceived on Mon Dec 01 2003 - 08:18:20 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:32 UTC