Re: Bind update

[David Rhodus <drhodus@xxxxxxxxx>]

Richard Coleman wrote:

> Most people don't really care whether / is dynamic or static.  They 
> just want NSS to work correctly.  Or more accurately, they want their 
> centralized authentication to work correctly.
>
> It has become very common to implement centralized authentication 
> using LDAP (or mysql).  I've done this in several large projects for 
> my previous employer (large web hosting company).  It's harder than it 
> sounds.  If not done correctly, lots of little things do not work 
> quite right (accounting file, or seeing uid in "ls" listing rather 
> than username).
>
> The most expedient method is dynamically linking in the correct NSS 
> resolver.  Other methods are possible (static resolver talking to 
> resolver daemon).  But with these other methods, I wonder how we can 
> get all the third party PAM and NSS modules working.  There are lots 
> of them, and most assume the dynamic library method.


Right! Your statement about having to try and make all of this cruff 
work correctly is what I've
seen too many times. This is why I'm not sure NSS will help anything, 
most likely add more cruff
that has no synchronization boundary defined. One of the things we'll be 
doing in DragonFly
is to replace PAM/NSS with something much cleaner and efficient. Most of 
the protection
domains defined by these mechanisms are questionable for many reasons 
not just the added
complexly wrapped around them. As I've been working on some of the 
shared messaging
protocol code the past few days, I've found my self thinking about how 
to work in a clean
implementation of some rendezvous type code, which leads me back to the 
thought of how
we will be doing a lookupd type system in DragonFly. Which at that point 
we'll be able
to sit aside PAM/NSS, as they are in my book completely useless anyways. 
Anymore,
when I'm asked to implement a centralized authentication system using 
anything LDAP / MySQL
or anything, I'll spend the first day writing a User Account Management 
System for which
everything will use a custom client defined for the system type to 
authenticate off of the DB system.
I've been extremely successful is using a custom authentication method 
across various platforms, HPUX solaris, BSD, linux, AIX, etc.. than 
trying to make a PAM/NSS setup work.

-DR