(Illustration by Gaich Muramatsu)
On Wed, Sep 29, 2004 at 04:03:59PM +0200, Ivan Popov wrote: > Inspired by M.Kondrin's letter. > > May be it will make the sense of the setup design more evident, > if I try to describe a hypothetical but totally sane setup, based on Coda: > > - clients have pam_aware login, which uses pam_something module > to check if a certain user "name" knows her password > > - another pam module tells if a certain user "name" > may use the relevant host > > Note, pam_something can be (Kerberos, NIS, anything) based, but it is always > one and only function "name" => YES or NO > YES == ("is who she pretends to be" AND "is allowed to use this host") > > if YES: > - the login program just PICKS UP THE NEXT UNUSED UID (it does not matter > which uid, just let it be unused until then and afterwards, with 2^64 > uids it is more or less infinite) > of course it logs which name corresponds to the uid, to be able > to identify processes afterwards. > it may create a corresponding new /etc/passwd entry, and even reuse it > at new logins with the same name. > only the numeric uid and user "name" are relevant there, > and can be lost without any harm (as long as the uids never are reused) > To be clear, uids make sense inside each host, > no reason to synchronize between hosts. > > - the login program looks up (may be by some pam_somethingelse) the > homedir path corresponding to the user "name" The login program need know nothing about this.... I believe this could be accomplished with a "libnss_superdooperldap" library, along with some extensions to NSCD (name service switch cache daemon). I'm using libnss_ldap right now, with static mappings of username->userid, but there's no reason a cache daemon running on the local machine couldn't be responsible for allocating a local UID, and local GID's for the groups the user is in. You *could* do pam_ldap for auth, but I think it would be better in the long run to use kerberos. The systems I admin at work use libnss_ldap for anythign that would do 'getpwent' & friends, and use pam_krb5 (and then pam_openafs_session) to get the user authenticated and access to the filesystem.Received on 2004-09-30 18:08:23