On Mon, 2003-12-01 at 21:24, Tim Kientzle wrote: > Why is the directory "usually the worst" for storing > authentication information?
This one's fairly easy to answer: you want to stick authentication data into a potentially public/exposed directory? Even traditional Unix uses /etc/shadow (or more complex solutions on some commercial systems) these days, so the password isn't in the "directory" (/etc/passwd). However, I have to agree with des's argument: a combined matrix for directory and authentication services doesn't mean the *data* must be combined. Using (for example) SIA, one could specify Kerberos 5 (my guess as to wollman's "better answer") and LDAP, and simply not specify entry points for the parts that each doesn't handle (Kerberos doesn't support directory services, and LDAP isn't being used for authentication), with later entries falling back to NIS or traditional files. But this arrangement allows traditional APIs to work reasonably --- and you can layer PAM and NSS on top of it as compatibility APIs. -- brandon s. allbery [linux,solaris,freebsd,perl] [EMAIL PROTECTED] system administrator [WAY too many hats] [EMAIL PROTECTED] electrical and computer engineering, carnegie mellon univ. KF8NH _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
