On Mon, 11 Jun 2001, Chris Jaeger wrote: > Chris Jaeger wrote: > > It does seem a little bit awkward that one has > > to write two libraries conforming to separate APIs in order > > to authenticate a user and retrieve his or her attributes. > > I do agree with Nicolas though, that targeting the read-side > > of the API(s) may be more appropriate. > > > > > Just to be clear... Targeting the read-side of the > API *first* may be more appropriate. Ok. I look at this issue as the differance between letting users login and letting them change their password. Obviously we need to focus on letting them login, but they need to change their password too. Therefore, both sides of the API are important. > Perhaps PAM and NSS > should be made one API, given that both deal with attributes > (the information necessary to authenticate a user being the > attributes that PAM is primarily concerned with now). Or > perhaps a rewrite of NSS with PAM's configurability. So there 2 options: redesign of NSS, or additions to PAM. NSS just doesn't seem flexible enough to me (or several other people I've spoken with). The primary purpose of NSS is not user authentication, whereas it is with PAM. As you said, it does seem silly to have to configure 2 libraries when doing 1 thing. In my opinion it is MUCH more practical to do this in PAM. Have you ever looked at glibc? Developing for glibc is a nightmare. It's a mess. Just look at the makefile setup if you don't believe me :). > I'll admit that I'm not currently looking for the best API; just > one that would allow me to get away with what I want without > having to customize many applications. > Yeah, I know. I don't have much input on this, sorry. > The funny thing is that having read up on NSS now, > I could achieve what I want through a new NSS library in > most of those 98% of applications that I mentioned earlier. > However, the 2% that seem to do things the right way (Linux's > login, Michael Tokarev's POP daemon) still require that I > use my PAM module. So there is obviously something missing > somewhere. The 2% you mention brings up a great reason to do this in PAM. If the applications get the information from PAM, the information is service-dependant. This is "very" good. It provides an extremely high level of flexibility. One such example is the use of non-system-wide accounts for a specific service (email, ftp). When done through PAM, this becomes trivial. Through NSS, this is an impossibility. This flexibility is one of the primary reasons I like the idea of additions to PAM better. > > Chris >
