Re: centralized auth and nsswitch.conf

[Richard Coleman <richardcoleman@xxxxxxxxxxxxxx>]

Peter da Silva wrote:

> > One simple way to achieve this is to support nsswitch.conf and have 
> > LDAP support as one of the available switches.
>
> For compatibility, I guess.
>
> The native name server would be accessed through messages and hide
> as much of this complexity as possible from the application.

That's the reason I'm hoping this problem will be given some thought. 
What is happening now, is that tons of applications are building in 
their own support for some type of centralized authentication or 
directory lookup.  Look at all the configure options for sendmail, 
postifix, sasl, mozilla, etc. to add LDAP support to look up information.

I guess I've got this on the top of my mind since I've been doing some 
design work on FreeBSD to do centralized authentication and single 
sign-on.  The number of alternatives is very large, and all require alot 
of integration to make work.  Some of the choices you immediately hit are:

0. Do you use the old school method (rsync passwords, whatever)?
1. Do you use PAM, native LDAP, or native Kerberos funtionality?
2. Pam can internally call LDAP (pam_ldap) or Kerberos (pam_kbr5).
3. Kerberos can store its data in an LDAP server (patches to Heimdal).
4. Your LDAP server can do native authentication, Kerberos, or SASL.
5. SASL can do native database(sasldb2), use Kerberos, call an LDAP 
server, or use PAM.
6. Etc.  The options go into a weird recursive loop.

Richard Coleman