"Jacques A. Vidrine" <nectar_at_FreeBSD.org> writes: > Hmm, I disagree completely. :-) [...] You are bringing authorization into the fray... we're talking about directory services (retrieving information about a user) and authentication (identifying someone as that user), not authorization. > > Also, is changing your password an authentication function or a > > directory function? I don't think you can answer either without > > answering both. > I think it is strictly an authentication function. The change in your > password has no affect on your UID, or your phone number, or in what > ACLs your name appears in. The problem is that the authentication information needs to be stored somewhere, and the usual solution is to store it in the directory, so changing the password involves both authentication and directory services. >> Backward compatibility is fine, but NSS does not seem to export an API >> that we can use when we want to lift ourselves out of the mud, so we >> are forced to keep rooting around in it. > What's an example of what you mean? The BSD nsswitch implementation > has a generic nsdispatch(3) that allows for new applications, but I'm > not sure that is what you mean. At any rate, it is not `NSS' proper, it > is an implementation detail. Like you say, it is an implementation detail, and it is far too low-level to be of use. We need an API that retrieves information about a user according to rules established by the administrator (nsswitch.conf or pam.conf or whatever) and is flexible enough to handle the fact that different directories store different amounts of information about the users at different levels of detail (for instance, LDAP stores first and last name separately while /etc/passwd only has the one GCOS field). > It seems to me that this is a direct result of passwd(1) confusing > authentication and authorization. Other than determining the default > target user name from the current UID, passwd(1) needs only to invoke > PAM interfaces to change your password for any authentication method > that supports password changing. No, because PAM doesn't control retrieval of the user information. If it did, it would be as simple as you say, but it doesn't - NSS does - so it's a nightmare. Imagine the case where different directories contain different entries for the same user, or for different users who happen to have the same name; this is standard practice with NIS. Which directory do you write the modified entry into? The obvious answer is "the one it came out of in the first place", but PAM doesn't know which one that was. DES -- Dag-Erling Smørgrav - des_at_des.noReceived on Mon Dec 01 2003 - 13:25:00 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:32 UTC