splitting courier-authlib into master+slave ports
yds at CoolRat.org
Sun Apr 24 08:59:40 PDT 2005
--On Sunday, April 24, 2005 16:05:32 +0200 Jose M Rodriguez
<josemi at freebsd.jazztel.es> wrote:
> El Domingo, 24 de Abril de 2005 15:18, Oliver Lehmann escribió:
>> Jose M Rodriguez wrote:
>> > Also, I think an UPDATING entry must be done pointing that ports
>> > that depends on this, must need BUILD_DEPENDS on
>> > courier-authlib-base and RUN_DEPENDS on courier-authlib-pam to be
>> > able of reading system passwd.
>> I still don't see the point why we must force pam or pwd.db support
>> to install? Why not left the choise to the user what "plugin" to
>> install? A user who uses MySQL don't need PAM or pwd.db support same
>> for me, I use vpopmail's user db.
> Well, I try this slowly
> three system auth modules come with courier-authlib
> libauthpwd -> for systems with old system 7 passwd, with real readable
> passwords in /etc/passwd (very old systems, not FreeBSD)
> libauthshadow -> for systems with system V shadow passwords, but without
> a pam lib (ej: Slackware linux).
> libauthpam -> for systems with a pam library (FreeBSD).
> And just one of this must be implemented. I think we only need
> libauthpam, allthough libauthpwd may build and install (but it isn't
> able to authtenticate).
> without this, you can't authenticate or locate system accounts. this is
> a fact.
> Now, take out your 'courier-authlib point of view' and take this from a
> 'courier-imap point of view'
> If you RUN_DEPENDS on courier-authlib-base instead of
> courier-authlib-pam, you will end with a default courier-imap install
> that isn't able to read system accounts. I don't think this is
> This is why I point to make courier-authlib-base with authpam, in the
> sense you can get from the actual pkg-descr.
> This is not any set of auth modules, just the one base module needed to
> read system accounts. And if you fill this dangerous or not needed,
> you can easy tweak authdaemonrc to not load the authpam module.
> I think that it easy expect a pro user implementing a virtual mail
> system have the resources to edit authdaemonrc that a home user trying
> to install courier-imap can locale the real need of installing
> courier-authlib-pam to get his system accounts working.
Thank you, josemi. That's pretty much been my stance on this from day
one. You spelled it out quite clearly.
Oliver, your description of how libauthpwd works is incorrect. You
describe it as offering "/etc/pwd.db support" which implies that it works
directly with that file. However the description in
<http://www.Courier-MTA.org/authlib/README_authlib.html> reads as follows:
The authpwd authentication module
This modules obtains account information and passwords from the /etc/passwd
NOTE: This module doesn't actually read the /etc/passwd file, it uses the C
library's getpw() functions. The C library implementation could use any
mechanism to obtain the equivalent information.
Which means that if one has NIS set up the account info would be gotten
from there. etc. and if you lookup the man page for getpw(3) two things
1) the library this function lives in is libcompat
2) the getpw() function is made obsolete by getpwuid(3)
Further down in the authpam section of
<http://www.Courier-MTA.org/authlib/README_authlib.html> we get the
The authpam authentication module
This modules uses the system's PAM library (pluggable authentication
modules) for authentication. This is, essentially, a way to use existing
PAM modules for authentication. Note, however, that the authenticated
account's home directory, userid and groupid are still read from the
/etc/passwd file, since PAM functionality is limited to validating account
NOTE: The specific configuration steps differ from system to system.
Consult the system documentation for more information. It might be tempting
to throw in a towel and use authshadow or authpwd if you cannot figure out
how to *install* PAM support, however that is not advisable. It is highly
recommended to use authpam wherever the PAM library is available.
I added the emphasis on *install*. Well, we *can* figure out how to
install authpam and there is no OS_VERSION of FreeBSD supported by the
ports system which does not contain PAM in the base OS. Which makes
authpwd completely undesirable anywhere near a FreeBSD system.
As for having authpam in the base courier-authlib port. The library is
only 6476 bytes on my build. There's more space wasted leaving the lib*.a
files in the base install. So space is not an argument. The argument
seems to be that you only use vchkpw some other user only uses
userdb,ldap,mysql,pgsql and authpam is not needed for you. That's what
authmodulelist is for in authdaemonrc -- to specifically list only the
modules you want considered for user authentication. Having authpam
installed as part of the base courier-authlib won't hurt you. But having a
courier-authlib which is not capable of doing anything out-of-the-box might
be painfull for someone looking at courier for the first time. Having to
find out what's causing the pain from an UPDATING file might cause further
frustration. The already provided documentation is painful enough.
Also take a look at courier-authlib.spec to see how the packaging is
organized on an rpm system. There's no separate authpam or authpwd
package. Authentication to system accounts is included in the "base"
install. The subpackages are split because they require extra library
dependencies one might not want when all they need is a working
courier-authlib. Not because they qualify as auth modules. That's one of
the reasons you had to write extra patches to prevent authpwd form being
installed. courier-authlib was never intended by its author to be
installed without a system authmodule. courier-authlib.spec and you
needing to patch it to accomplish that is evidence enough.
To sum it up not including authpam is more difficult to maintain and the
benefit is rather negligible: having a pure courier-authlib which only
contains the one authmodule you selected. The benefit of including authpam
in the base is no patching to remove authpwd from the base install,
--with-authpam does that for you and fewer authmodules for a user to
consider: base courier-authlib for system account authentication -- any of
the plugins to use anything above and beyond system accounts. For some
authpam would be sufficient even if they wanna use LDAP since it's possible
to configure PAM that way.
More information about the freebsd-ports