[gentoo-dev] User authentication ideas

[<gdjohn@egregious.org.uk>]

I've recently been busying myself setting up Kerberos/LDAP directory to
provide a NIS like authentication system for my small LAN (hopefully
allowing single sign on at some point in the near future).

What I have found is that it is currently quite a big job to get all of
this sorted on a Gentoo server, and even when it's all running, it doesn't
play nicely with portage (or rather, there are some ebuilds that don't
play nicely with NIS like systems).

The main problems I've found are that some ebuilds grep /etc/passwd to see
if a specific user exists on the system, and then go and add the
user/group with the useradd/groupadd commands.  Obviously, this doesn't
work for users whose credentials are stored somewhere other than
/etc/passwd.

What I would like to propose is some sort of virtual package, maybe
virtual/auth. The standard /etc/{passwd,group,shadow} authentication
mechanism should be retained as the default (maybe call it auth-files or
auth-shadow).  The key thing here though, is that each package that
provides virtual/auth must provide a user{add,del} and group{add,del}
command (maybe useradd.packagename, etc. with symlinks to /sbin/useradd).

I am quite prepared to put some effort in to putting together a
sys-auth/krb5-ldap ebuild, but there will need to be some coordination. It
would be nice to be able to offer some sort of tool to switch between
authentication mechanisms, a la RedHat authconfig.

Can anybody see any problems, advantages, disadvantages, glaring issues in
what I'm suggesting?

Cheers,

Gareth.




--
gentoo-dev@gentoo.org mailing list