Hi, for some time now, I have been investigating how to best make a desktop system talk to a web API (HTTP, REST) for user management, so NSS and PAM make HTTP requests to an API to verify authentication (using OIDC) and to retrieve NIS information (using REST endpoints). One of the approaches I am evaluating involves systemd-userdbd, because it seems to be designed with extensibility with modular service implementations in mind. Right now, I have a few questions concerning its architecture and use: * Why was Varlink chosen over D-Bus, given that most other parts of systemd seem to talk D-Bus? * How does protection of privileged fields work? In a different approach (using my own gRPC-based protocol), I used peer credentials on the UNIX socket for authorisation, but it seems this should break with userdbd when going through the multipelxer. However, I see "Warning: lacking rights to acquire privileged fields of user record of 'testnik', output incomplete." when I try to inspect another user as an unprivileged user. How does userdbd determine that? * userdbd only helps for user information, i.e. for providing data to NSS through a decoupled interface. I would need to do the same for PAM, but intil now, I could not find an existing standard for verifying credentials. Was that just not done yet, or is there a design decision that userdbd should not offer methods for authentication? I see that systemd-homed implements its own API through D-Bus… * Ultimately, I would like to retrieve and store an OAuth token on user login. It would somehow be a good fit for the "secret" section of the User Record, but the fields allowed in it seem to be static. Are there any ideas around here where such a token could be stored during the user session? Thanks for your help, Nik
Attachment:
signature.asc
Description: PGP signature
