DragonFly BSD
DragonFly kernel List (threaded) for 2003-07
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: centralized auth and nsswitch.conf

From: Richard Coleman <richardcoleman@xxxxxxxxxxxxxx>
Date: Thu, 24 Jul 2003 13:39:02 -0400

Peter da Silva wrote:

One simple way to achieve this is to support nsswitch.conf and have LDAP support as one of the available switches.

For compatibility, I guess.

The native name server would be accessed through messages and hide
as much of this complexity as possible from the application.

That's the reason I'm hoping this problem will be given some thought. What is happening now, is that tons of applications are building in their own support for some type of centralized authentication or directory lookup. Look at all the configure options for sendmail, postifix, sasl, mozilla, etc. to add LDAP support to look up information.

I guess I've got this on the top of my mind since I've been doing some design work on FreeBSD to do centralized authentication and single sign-on. The number of alternatives is very large, and all require alot of integration to make work. Some of the choices you immediately hit are:

0. Do you use the old school method (rsync passwords, whatever)?
1. Do you use PAM, native LDAP, or native Kerberos funtionality?
2. Pam can internally call LDAP (pam_ldap) or Kerberos (pam_kbr5).
3. Kerberos can store its data in an LDAP server (patches to Heimdal).
4. Your LDAP server can do native authentication, Kerberos, or SASL.
5. SASL can do native database(sasldb2), use Kerberos, call an LDAP server, or use PAM.
6. Etc. The options go into a weird recursive loop.

Richard Coleman

[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]