Re: Enhancement patch for basic auth module: yp_auth

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 12 Oct 2003 00:10:35 +0200 (CEST)

On 10 Oct 2003, Bruce Smith wrote:

> The patch basically does the following:
>
> 1) Nothing, unless you add additional parameters on the command line.
> Existing users of yp_auth will see no difference at all.
>
> 2) With additional command line parameters, it can check the existence
> of verified users in a NIS group. It can either accept or reject
> all users in the specified group.

Hmm.. this is really best done using a external_acl helper like the other
group lookups I think. Having a auth helper filter out what users are
considered to exists in the user database is a bit strange to me..
authorization is better done separate from authentication and allows for
a cleaner migration to more detailed authorization levels when required.

> This allows "exceptions" so you can prevent certain users from
> connecting, or you can only allow a list of users to connect.

So does having a NIS group helper..

Maybe the unix_group helper can do the job for you without any
modifications to yp_auth? I suspect it can.. (it should, if the server is
member of the NIS domain and what you are looing into is plain group
memberships)

Regards
Henrik
Received on Sat Oct 11 2003 - 16:10:41 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:44 MST