On Fri, 5 Dec 2003, Dag-Erling Smørgrav wrote: > Jacques Vidrine <nectar_at_freebsd.org> writes: > > Applications that use PAM to change the password when the password > > expires seem to work out OK. > > This works because each backend knows whether or not the password needs > changing (there is a flag to tell the module to only ask for a new > password if the current password has expired). When you are purposedly > changing your password before it expires, things are a little less > clear. > > Things might be easier if NSS had a proper API which included entry > points for storing and updating user information (and not just for > retrieving). Then pam_unix wouldn't need to know anything about > /etc/spwd.db or NIS; it would just retrieve the information from NSS, > note that the password had expired, ask the user for a new password and > tell NSS to store it. I think I agree pretty strongly with your earlier comment that the current "struct passwd" is simply insufficient for a lot of the things we'd like to accomplish. It's good for UNIX app compatibility and home directory expansion, but it sounds like we need a much stronger notion of "user" than we currently have. We bump into this in the existing of login.conf, setusercontext(), and the MAC code. It might be worth digging into Apple's DirectoryServices, as well as Solaris's roles/etc equivilent. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert_at_fledge.watson.org Senior Research Scientist, McAfee ResearchReceived on Thu Dec 04 2003 - 15:15:18 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:32 UTC