[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Devel] Re: Transition: new PAM config file handling in unstable

To: Petter Reinholdtsen <pere@xxxxxxxxxx>
Subject: [Devel] Re: Transition: new PAM config file handling in unstable
From: Steve Langasek <vorlon@xxxxxxxxxxxxxx>
Date: Sat, 23 Aug 2003 14:23:41 -0500
Cc: devel@xxxxxxxxxxxxx, hartmans@xxxxxxxxxx
In-reply-to: <2fl4r08cpvr.fsf@saruman.uio.no>
List-archive: <https://init.linpro.no/pipermail/skolelinux.no/devel/>
List-help: <mailto:devel-request@skolelinux.no?subject=help>
List-id: <devel.skolelinux.no>
List-post: <mailto:devel@skolelinux.no>
List-subscribe: <https://init.linpro.no/mailman/skolelinux.no/listinfo/devel>, <mailto:devel-request@skolelinux.no?subject=subscribe>
List-unsubscribe: <https://init.linpro.no/mailman/skolelinux.no/listinfo/devel>, <mailto:devel-request@skolelinux.no?subject=unsubscribe>
References: <20030821033758.GA30831@quetzlcoatl.dodds.net> <2fl4r08cpvr.fsf@saruman.uio.no>
Sender: devel-admin@xxxxxxxxxxxxx
User-agent: Mutt/1.5.4i

Hi Petter,

On Sat, Aug 23, 2003 at 06:14:48PM +0200, Petter Reinholdtsen wrote:

> [Steve Langasek]
> > - At a later date, it will be possible to support tools for
> >   debconf-based management of the authentication subsystem so that
> >   administrators can seamlessly integrate workstations into (e.g.)
> >   Kerberos, LDAP, or Windows NT authentication realms.  No work has
> >   been done yet to develop these tools, and they are unlikely to be
> >   ready in time for sarge; but this is a realistic goal for sarge+1,
> >   or for customized installers based on sarge.

> Skolelinux is currently setting up LDAP at install time, and would
> love to have a more standardized way to do it.  At the moment, we just
> replace the files in /etc/pam.d/, and edit /etc/nsswitch.conf,
> /etc/pam_ldap.conf and /etc/libnss-ldap.conf.

> Is there anything we can do to assist the progress of the system to
> automatically set up LDAP/NIS/whatever at install time?  We would love
> to be able to do this in a policy-compliant way. :)

I'm fairly certain that neither Sam nor I would have the time to work on
this piece ourselves before sarge's release, but if you're able to
prepare a suitable tool for managing authentication choices, it's
possible it could still be considered for inclusion in sarge.

Such a tool would need an interface for new authentication modules to
register themselves; it would need to allow the administrator to opt for
at least minimal module stacking (LDAP w/ fallback to pam_unix, for
example); and it would need to understand how to manage
/etc/pam.d/common-auth, /etc/pam.d/common-account, and /etc/pam.d/other.
Technically, to be policy-compliant, the config-writing portion of this
tool must also be part of the libpam-runtime package.  For an added
bonus, the tool can be called by the name 'authconfig', which is the
name Red Hat uses for their system.

I believe Sam has some other goals for this tool, specifically relating
to Kerberos/AFS support; I'll let him speak for himself on those.

If I can provide any input that would help someone work on implementing
this, please let me know.

-- 
Steve Langasek
postmodern programmer

Attachment: pgp00046.pgp
Description: PGP signature

Follow-Ups:
- Re: [Devel] Re: Transition: new PAM config file handling in unstable
  - From: Petter Reinholdtsen

References:
- [Devel] Re: Transition: new PAM config file handling in unstable
  - From: Petter Reinholdtsen

Prev by Date: [Devel] Re: Transition: new PAM config file handling in unstable
Next by Date: [Devel] [Bug 445] New: kdm does not honour shadowAccount
Previous by thread: [Devel] Re: Transition: new PAM config file handling in unstable
Next by thread: Re: [Devel] Re: Transition: new PAM config file handling in unstable
Index(es):
- Date
- Thread