From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 25223 invoked by uid 1002); 14 Apr 2003 15:25:51 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 28911 invoked from network); 14 Apr 2003 15:25:50 -0000 Message-ID: <61324.134.188.150.80.1050333949.squirrel@callisto.cs.kun.nl> Date: Mon, 14 Apr 2003 17:25:49 +0200 (CEST) From: "Paul de Vrieze" To: X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.11) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [gentoo-dev] User authentication ideas X-Archives-Salt: baafdb99-e0d7-4835-9241-7b1e7ff777fb X-Archives-Hash: 61077e43047998089ec42893037057a0 > I've recently been busying myself setting up Kerberos/LDAP directory > to provide a NIS like authentication system for my small LAN (hopefully > allowing single sign on at some point in the near future). > > What I have found is that it is currently quite a big job to get all of > this sorted on a Gentoo server, and even when it's all running, it does= n't > play nicely with portage (or rather, there are some ebuilds that don't > play nicely with NIS like systems). > > The main problems I've found are that some ebuilds grep /etc/passwd to = see > if a specific user exists on the system, and then go and add the > user/group with the useradd/groupadd commands. Obviously, this doesn't > work for users whose credentials are stored somewhere other than > /etc/passwd. > > What I would like to propose is some sort of virtual package, maybe > virtual/auth. The standard /etc/{passwd,group,shadow} authentication > mechanism should be retained as the default (maybe call it auth-files o= r > auth-shadow). The key thing here though, is that each package that > provides virtual/auth must provide a user{add,del} and group{add,del} > command (maybe useradd.packagename, etc. with symlinks to > /sbin/useradd). > > I am quite prepared to put some effort in to putting together a > sys-auth/krb5-ldap ebuild, but there will need to be some coordination.= It > would be nice to be able to offer some sort of tool to switch between > authentication mechanisms, a la RedHat authconfig. > > Can anybody see any problems, advantages, disadvantages, glaring issues= in > what I'm suggesting? > I think this is a good idea although problems could arise when authentication is necessary to allow adding users. (maybe a list of pending modifications could be used). I don't see that much the virtue of authconfig, but it if a user-list method is provided together with a user-insert/mod method, then switching should be possible (be wary of not automatically converting certain system users) Paul --=20 Paul de Vrieze Researcher Mail: pauldv@cs.kun.nl Homepage: http://www.devrieze.net -- gentoo-dev@gentoo.org mailing list