Re: [Proposal] Forget PAM, stick with NSS

To: Matt Ryan <matt@banana.org.uk>
Cc: debian-devel@lists.debian.org
Subject: Re: [Proposal] Forget PAM, stick with NSS
From: Ben Collins <bcollins@debian.org>
Date: Mon, 2 Aug 1999 08:43:07 -0500
Message-id: <[🔎] 19990802084306.A9221@lappy.djj.state.va.us>
In-reply-to: <199907311355.OAA25527@vulture.banana.org.uk>; from Matt Ryan on Sat, Jul 31, 1999 at 02:55:18PM +0100
References: <199907311355.OAA25527@vulture.banana.org.uk>

On Sat, Jul 31, 1999 at 02:55:18PM +0100, Matt Ryan wrote:
> 
> I'm a big fan of small dependancies for packages. I can't see any reason why
> we should start PAMifing packages when AFAICS it only gives the same
> functionality as the NSS part of glibc. I have setup libnss-ldap and it works
> very well - why would I need PAM?

Well for starters NSS and PAM are two completely different things. NSS is
just a name service to lookup common things like userid, passwords, hosts,
etc..

PAM on the other hand is an authentication service. While it might look
like you don't need PAM for nss_ldap, it's a very easy oversight. In your
case, the application is looking up the user information from NSS (ldap)
and then handling all of the authentication. There is nothing wrong with
this. But it is much better to have PAM handle the authentication since
it's more conficgurable. For instance, let's say you wanted to have your
logins authenticated against and LDAP name service, but receive kerberos
tickets aswell? With just NSS you can't do this, but with PAM you can
simply stack the pam_ldap and pam_krb modules to achieve this.

Please read the documentation and/or related RFC's to completely
understand the differences in NSS and PAM.

Ben

Reply to:

Prev by Date: Re: Release-critical Bugreport for July 30, 1999
Next by Date: Processing of xteddy_2.0.1-1_i386.changes (fwd)
Previous by thread: Re: [Proposal] Forget PAM, stick with NSS
Next by thread: Re: [Proposal] Forget PAM, stick with NSS
Index(es):
- Date
- Thread