DragonFly BSD
DragonFly kernel List (threaded) for 2003-11
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Bind update

To: Joerg Sonnenberger <joerg@xxxxxxxxxxxxxxxxx>
From: Richard Coleman <richardcoleman@xxxxxxxxxxxxxx>
Date: Sun, 23 Nov 2003 10:34:31 -0500

Joerg Sonnenberger wrote:

Most people don't really care whether / is dynamic or static. They just want NSS to work correctly. Or more accurately, they want their centralized authentication to work correctly.

NSS != authentication. The evil implementation of authentication is PAM.
So summarize the PAM vs. BSD auth discussion on NetBSD:
- BSD auth is simpler
- PAM seems to be pretty standard and platform independent
- the only thing BSD auth can't directly do is the PAG for AFS
- many PAM modules can run with a wrapper
- BSD auth cannot effect the calling process, e.g. by changing random stuff

Well, I was just being sloppy. When I talk about centralized authentication, I'm actually talking about something more general than just handling the authentication phase. I want to centralize all aspects of user/group account management (authentication, authorization, uid -> username mappings, etc). I imagine this is common for most sysadmins that want to build such systems.

I've went through the NetBSD archives and read the thread on BSD auth versus shared libraries, but never found much details on the BSD auth method. Where can I read about this?

So far, the only working systems I've seen accomplish this are using dynamic libraries (that's how it's done in both Solaris, Linux, and now FreeBSD-current). I've never seen anyone actually implement the alternates that are discussed in a method that solves all the necessary problems.

Most of the people that argue against this try to convince everyone that they don't really need those features, and the arguments degenerate from there.

Richard Coleman

[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]