[19756] in Kerberos
Re: which krb5 PAM module on Solaris 8?
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Aug 4 13:54:59 2003
To: Brian Davidson <bdavids1@gmu.edu>
From: Sam Hartman <hartmans@MIT.EDU>
Date: Mon, 04 Aug 2003 13:53:37 -0400
In-Reply-To: <D24C104C-C692-11D7-9631-000393CCB774@gmu.edu> (Brian
Davidson's message of "Mon, 04 Aug 2003 11:46:32 -0400")
Message-ID: <tsl3cghfgwu.fsf@konishi-polis.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
>>>>> "Brian" == Brian Davidson <bdavids1@gmu.edu> writes:
Brian> Why not use nsswitch for authorization? I'm assuming it's
Brian> available on Solaris since Sun developed it (I don't have
Brian> any Solaris boxes at the moment). Basically all password
Brian> file lookups are redirected to LDAP via nss_ldap. It seems
Brian> to me that authentication is best left to PAM, while
Brian> authorization is better handled by a hook into the system
Brian> calls that are used for authorization (i.e. what nsswitch
Brian> does).
Because existence in the password file should not be tied to
authorization. I might want (and in fact do) all my users to exist in
my password files so that ls works, so that I can do group to name
mappings, etc.
I do not want that to imply authorization.
Also, for things like time-of-day based authorization, having the user
suddenly drop out of the password file would be undesirable.
PAM has hooks for this; they work about as well as the rest of PAM.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
