Subject: Re: PAM
To: Ross Patterson <Ross.Patterson@CatchFS.Com>
From: Greg A. Woods <>
List: current-users
Date: 09/26/2002 14:26:17
[ On Thursday, September 26, 2002 at 12:17:55 (-0400), Ross Patterson wrote: ]
> Subject: Re: PAM
> Here's one example, from a real-world corporate-IT environment.  One of my 
> former employers was a largely-Microsoft shop, with a centrally-managed MIS 
> operation and roughly 20,000 staff, each enrolled in one of three 
> geographically-designated MS-Windows "domains".  All sorts of applications 
> required logging in, and by edict all of them must use the domain controllers 
> as the authentication service.  Why?  Because when someone leaves the 
> company, their access to *all* services can be turned off immediately and 
> definitively.

Such a policy can very easily lead to a false sense of security, but the
general sentiment is at least good.  I presume there were audits done
regularly to verify that all means of access were indeed protected in
this way.

> The PAM-LDAP module made it possible to integrate Linux systems into this 
> environment, because in a rare instance of clear vision Microsoft allowed 
> LDAP access to their Windows domain controllers.

LDAP support can be almost trivially added to NetBSD's nsswitch,
probably without changing any existing program which does A&A, not even
/usr/bin/login or ftpd, etc. (though without knowing more details about
how the authentication information is stored in a M$ LDAP database I'm
not 100% certain of that last claim -- but perhaps what's left can be
hidden quite easily in passwd.conf(5) et al and crypt(3)).  I also
suspect the code from the PAM LDAP module could be adapted to fit,
though I know nothing of its relative quality and maleability.  In an
ideal world the patches to add the nsswitch API hooks could be fed back
to the PAM LDAP authors for ease of future re-integration too.

The immediate major benefit of such integration over use of PAM (other
than the fact that it can be done today in released NetBSD code) is that
it guarantees full LDAP support in even static-linked programs
(something that cannot be done with PAM even if PAM were ported to any
existing NetBSD release from, say, FreeBSD).

								Greg A. Woods

+1 416 218-0098;            <>;           <>
Planix, Inc. <>; VE3TCP; Secrets of the Weird <>