NSS and PAM

[Dag-ErlingSmørgrav]

"Jacques A. Vidrine" <nectar at FreeBSD.org> writes:
> Hmm, I disagree completely.  :-)  [...]

You are bringing authorization into the fray...  we're talking about
directory services (retrieving information about a user) and
authentication (identifying someone as that user), not authorization.

> > Also, is changing your password an authentication function or a
> > directory function?  I don't think you can answer either without
> > answering both.
> I think it is strictly an authentication function.  The change in your
> password has no affect on your UID, or your phone number, or in what
> ACLs your name appears in.

The problem is that the authentication information needs to be stored
somewhere, and the usual solution is to store it in the directory, so
changing the password involves both authentication and directory
services.

>> Backward compatibility is fine, but NSS does not seem to export an API
>> that we can use when we want to lift ourselves out of the mud, so we
>> are forced to keep rooting around in it.  
> What's an example of what you mean?  The BSD nsswitch implementation
> has a generic nsdispatch(3) that allows for new applications, but I'm
> not sure that is what you mean.  At any rate, it is not `NSS' proper, it
> is an implementation detail.

Like you say, it is an implementation detail, and it is far too
low-level to be of use.  We need an API that retrieves information
about a user according to rules established by the administrator
(nsswitch.conf or pam.conf or whatever) and is flexible enough to
handle the fact that different directories store different amounts of
information about the users at different levels of detail (for
instance, LDAP stores first and last name separately while /etc/passwd
only has the one GCOS field).

> It seems to me that this is a direct result of passwd(1) confusing
> authentication and authorization.  Other than determining the default
> target user name from the current UID, passwd(1) needs only to invoke
> PAM interfaces to change your password for any authentication method
> that supports password changing.

No, because PAM doesn't control retrieval of the user information.  If
it did, it would be as simple as you say, but it doesn't - NSS does -
so it's a nightmare.  Imagine the case where different directories
contain different entries for the same user, or for different users
who happen to have the same name; this is standard practice with NIS.
Which directory do you write the modified entry into?  The obvious
answer is "the one it came out of in the first place", but PAM doesn't
know which one that was.

DES
-- 
Dag-Erling Smørgrav - des at des.no