Gentoo Archives: gentoo-dev

From: Paul de Vrieze <gentoo-user@××××××××.net>
To: gentoo-dev@g.o
Subject: Re: [gentoo-dev] User authentication ideas
Date: Mon, 14 Apr 2003 15:25:51
Message-Id: 61324.134.188.150.80.1050333949.squirrel@callisto.cs.kun.nl
1 > I've recently been busying myself setting up Kerberos/LDAP directory
2 > to provide a NIS like authentication system for my small LAN (hopefully
3 > allowing single sign on at some point in the near future).
4 >
5 > What I have found is that it is currently quite a big job to get all of
6 > this sorted on a Gentoo server, and even when it's all running, it doesn't
7 > play nicely with portage (or rather, there are some ebuilds that don't
8 > play nicely with NIS like systems).
9 >
10 > The main problems I've found are that some ebuilds grep /etc/passwd to see
11 > if a specific user exists on the system, and then go and add the
12 > user/group with the useradd/groupadd commands. Obviously, this doesn't
13 > work for users whose credentials are stored somewhere other than
14 > /etc/passwd.
15 >
16 > What I would like to propose is some sort of virtual package, maybe
17 > virtual/auth. The standard /etc/{passwd,group,shadow} authentication
18 > mechanism should be retained as the default (maybe call it auth-files or
19 > auth-shadow). The key thing here though, is that each package that
20 > provides virtual/auth must provide a user{add,del} and group{add,del}
21 > command (maybe useradd.packagename, etc. with symlinks to
22 > /sbin/useradd).
23 >
24 > I am quite prepared to put some effort in to putting together a
25 > sys-auth/krb5-ldap ebuild, but there will need to be some coordination. It
26 > would be nice to be able to offer some sort of tool to switch between
27 > authentication mechanisms, a la RedHat authconfig.
28 >
29 > Can anybody see any problems, advantages, disadvantages, glaring issues in
30 > what I'm suggesting?
31 >
32
33 I think this is a good idea although problems could arise when
34 authentication is necessary to allow adding users. (maybe a list of
35 pending modifications could be used). I don't see that much the virtue of
36 authconfig, but it if a user-list method is provided together with a
37 user-insert/mod method, then switching should be possible (be wary of not
38 automatically converting certain system users)
39
40 Paul
41
42 --
43 Paul de Vrieze
44 Researcher
45 Mail: pauldv@××××××.nl
46 Homepage: http://www.devrieze.net
47
48
49
50
51 --
52 gentoo-dev@g.o mailing list