NSS and PAM

[Robert Watson]

On Mon, 1 Dec 2003, Dag-Erling Smørgrav wrote:

> "Jacques A. Vidrine" <nectar at FreeBSD.org> writes:
> > By `the two', do you mean directory services and authentication?  They
> > are certainly not `essentially one'.  But I suspect you know this and
> > I am just misunderstanding your meaning.
> 
> They are different issues, but in this context you can't discuss one
> without the other.  Authentication doesn't work unless you have a user
> to authenticate.  It makes no sense to separate them; you just end up
> duplicating a lot of concepts and code. 
> 
> Also, is changing your password an authentication function or a
> directory function?  I don't think you can answer either without
> answering both. 

It strikes me that there are two separate issues:

(1) Whether or not there's a useful distinction between authentication
    services and directory services.

(2) If there is or isn't such a distinction in (1), whether or not that
    distinction should appear in the implementation.

In practice, people frequently mix and match authentication services and
directory services, and there are services that implement one but not the
other.  For example, Kerberos5 for authentication an LDAP for directory
services is a common combination: however, Kerberos doesn't provide
directory services, only principal authentication.  Likewise, even on
purely local systems, the account directory services (pwent, et al) may be
distinct from principal authentication using one-time passwords, etc.  I'm
not opposed to the fundamental idea of combining mechanism, but there are
some practical underlying differences between directory services and
authentication, even though there's clear overlap. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Senior Research Scientist, McAfee Research