Debian Bug report logs - #134473
Please add a plugin-like mechanism to adduser for external authentication mechanisms

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Freedman <freedman@ccmr.cornell.edu>

To: submit@bugs.debian.org

Cc: Daniel Freedman <freedman@ccmr.cornell.edu>

Subject: passwd: useradd/groupadd/etc. don't easily allow separate user/group files on NIS server...

Date: Sun, 17 Feb 2002 15:59:39 -0500

Package: passwd
Version: 20000902-8
Severity: wishlist

Hi,

It would be convenient to be able to have user/group information to be
distributed from an NIS server, without necessarily also allowing the
users/groups so specified to have accounts on such a server.

NIS, of course, allows this through the following portion of
'/var/yp/Makefile':

  #
  # These are the source directories for the NIS files; normally
  # that is /etc but you may want to move the source for the password
  # and group files to (for example) /var/yp/ypfiles. The directory
  # for passwd, group and shadow is defined by YPPWDDIR, the rest is
  # taken from YPSRCDIR.
  #
  YPSRCDIR = /etc
  YPPWDDIR = /etc

where, for example, 'YPPWDDIR = /var/yp/ypfiles' would allow a separate
namespace and prevent logins of such users/groups on the NIS server.
Please note, also, that the name of the above as 'Makefile' is not to
connote that the actual NIS package has to be recompiled from source
to use these changes; instead, this makefile is sourced when 'ypinit'
is run to update the NIS maps.

The 'nis.debian.howto.gz' from Debian's NIS package, however, points
out the major downside to this:

  Alternatively, you could edit the /var/yp/Makefile file and set NIS to
  use another source password file by pointing the YPPWDDIR variable at the
  top of the Makefile to another directory than /etc. On big systems, the
  NIS password and group files are often stored in /var/yp/ypfiles/. If
  you do this the normal tools to administrate the password file such as
  "passwd", "chfn", "adduser" will not work anymore and you will need
  special homemade tools for this.

Of course, one could use the alternative method to restrict access to
the NIS server, by runing the NIS server as a client and doing the
plus-entry hack to the account files after the system users, but
that's really inconveninet (IMHO) for larger user bases.

Thinking where to file this wishlist bug, and looking through the
'adduser' perl-script, it seems relatively clear that the additional
functionality, if it comes, should come from the useradd/groupadd
programs as they are actually called by the Debian front-ends.

Grepping through the source with the 'shadow' package, it looks like
the positions for these files are hard-coded in 'defines.h' from that
package:

  #ifndef PASSWD_FILE
  #define PASSWD_FILE "/etc/passwd"
  #endif

  #ifndef GROUP_FILE
  #define GROUP_FILE "/etc/group"
  #endif

  #ifdef SHADOWPWD
  #ifndef SHADOW_FILE
  #define SHADOW_FILE "/etc/shadow"
  #endif
  #endif

  #ifdef SHADOWGRP
  #ifndef SGROUP_FILE
  #define SGROUP_FILE "/etc/gshadow"
  #endif
  #endif

It would be great if this could be extended to allow a command-line
option to specify the prefix to these file locations, like:

  useradd --passwd-prefix="/var/yp/ypfiles" ...

If this happens (and of course, this is only a wishlist bug), then the
'adduser' script might be subsequently modified to make use of the
functionality, and we could have easier interaction between NIS and
password maintenance scripts for larger sites, without the necessity
of maybe going with a more complicated (albeit more flexible) tool
like LDAP.

Thanks so much!  I appreciate the consideration.


Take care,

Daniel


-- 
Daniel A. Freedman
Laboratory for Atomic and Solid State Physics
Department of Physics
Cornell University

Message #10 received at 134473@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 134473@bugs.debian.org

Subject: Is someone able to understand what is requested in #134473?

Date: Mon, 16 May 2005 18:29:50 +0200

I must confess that I have absolutely no idea of what the bug
submitter is requesting in http://bugs.debian.org/134473

Has anyone a rough idea?


-- 

Message #15 received at 134473@bugs.debian.org (full text, mbox, reply):

From: Martin Quinson <martin.quinson@loria.fr>

To: 134473@bugs.debian.org

Cc: nis@packages.debian.org

Subject: Re: [Pkg-shadow-devel] Bug#134473: Is someone able to understand what is requested in #134473?

Date: Mon, 16 May 2005 23:35:40 +0200

[Message part 1 (text/plain, inline)]

On Mon, May 16, 2005 at 06:29:50PM +0200, Christian Perrier wrote:
> I must confess that I have absolutely no idea of what the bug
> submitter is requesting in http://bugs.debian.org/134473
> 
> Has anyone a rough idea?

A new option to the low level tools allowing to specify on which files to
work on. 

Rational: on nis server, you don't want to allow the user of your company to
log onto your nis server, you want them to be added in the DB managed by the
nis server. You don't want to modify /etc/passwd but /var/yp/ypfiles/etc/passwd.

At least, that's what I understand from this mail, I've no personal opinion,
beside the relative simplicity of the corresponding patch.

I'm CCing debian NIS packager (hello Miquel) to see what he think about it.
[For the context, shadow packaging just changed into a team effort, and
 we're doing massive bug triage]


Bye, Mt.

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 134473@bugs.debian.org (full text, mbox, reply):

From: Miquel van Smoorenburg <miquels@cistron.nl>

To: Martin Quinson <martin.quinson@loria.fr>

Cc: 134473@bugs.debian.org, nis@packages.debian.org

Subject: Re: [Pkg-shadow-devel] Bug#134473: Is someone able to understand what is requested in #134473?

Date: Mon, 16 May 2005 21:49:25 +0000

On Mon, 16 May 2005 23:35:40, Martin Quinson wrote:
> On Mon, May 16, 2005 at 06:29:50PM +0200, Christian Perrier wrote:
> > I must confess that I have absolutely no idea of what the bug
> > submitter is requesting in http://bugs.debian.org/134473
> > 
> > Has anyone a rough idea?
> 
> A new option to the low level tools allowing to specify on which files to
> work on. 
> 
> Rational: on nis server, you don't want to allow the user of your company to
> log onto your nis server, you want them to be added in the DB managed by the
> nis server. You don't want to modify /etc/passwd but /var/yp/ypfiles/etc/passwd.
> 
> At least, that's what I understand from this mail, I've no personal opinion,
> beside the relative simplicity of the corresponding patch.
> 
> I'm CCing debian NIS packager (hello Miquel) to see what he think about it.
> [For the context, shadow packaging just changed into a team effort, and
>  we're doing massive bug triage]

Well actually nowadays Mark Brown does most (the last few releases,
all) of the work on NIS.

But it's probably not a bad idea to make the tools more flexible.
It sure beats vi :)

Mike.

Message #25 received at 134473@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 134473@bugs.debian.org

Cc: nis@packages.debian.org, adduser@packages.debian.org

Subject: Re: Bug#134473: [Pkg-shadow-devel] Bug#134473: Is someone able to understand what is requested in #134473?

Date: Tue, 17 May 2005 07:28:25 +0200

(enlarging the discussion again..:-)). See http://bugs.debian.org/134473

> > I'm CCing debian NIS packager (hello Miquel) to see what he think about it.
> > [For the context, shadow packaging just changed into a team effort, and
> >  we're doing massive bug triage]
> 
> Well actually nowadays Mark Brown does most (the last few releases,
> all) of the work on NIS.
> 
> But it's probably not a bad idea to make the tools more flexible.
> It sure beats vi :)


Well, I will need to be convinced..:-)

Up to now, we are still looking at useradd/userdel as "low-level"
tools and thus the "high-level" functionality is better be integrated
into adduser/deluser.

We also have, for instance, a request to make useradd add users in
LDAP backends and we could even end up in requests to be able to add
users in "winbind" backends one can have with the samba package (users
authenticated against a NT domain).

I'm very reluctant to push such feature requests to upstream shadow
and ask it with all possible name services systems.

I think that adding a kind of plugin mechanism to Debian specific
adduser utilities would be more logical, if that's feasible.

Marc and adduser maintainers, opinions, thoughts ?

Message #30 received at 134473@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Christian Perrier <bubulle@debian.org>

Cc: 134473@bugs.debian.org, nis@packages.debian.org, adduser@packages.debian.org

Subject: Re: [Adduser-devel] Re: Bug#134473: [Pkg-shadow-devel] Bug#134473: Is someone able to understand what is requested in #134473?

Date: Tue, 17 May 2005 08:09:29 +0200

On Tue, May 17, 2005 at 07:28:25AM +0200, Christian Perrier wrote:
> I think that adding a kind of plugin mechanism to Debian specific
> adduser utilities would be more logical, if that's feasible.

As far as I remember, this is on the features list for the next
generation adduser. Unfortunately, there is not work being done on
next generation adduser at the moment, and features like this will
surely not be in current adduser under its current maintainership. No
time.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Message #35 received at 134473@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 134473@bugs.debian.org

Cc: nis@packages.debian.org, adduser@packages.debian.org

Subject: Re: Bug#134473: [Adduser-devel] Re: Bug#134473: [Pkg-shadow-devel] Bug#134473: Is someone able to understand what is requested in #134473?

Date: Tue, 17 May 2005 08:36:46 +0200

Quoting Marc Haber (mh+debian-packages@zugschlus.de):
> On Tue, May 17, 2005 at 07:28:25AM +0200, Christian Perrier wrote:
> > I think that adding a kind of plugin mechanism to Debian specific
> > adduser utilities would be more logical, if that's feasible.
> 
> As far as I remember, this is on the features list for the next
> generation adduser. Unfortunately, there is not work being done on
> next generation adduser at the moment, and features like this will
> surely not be in current adduser under its current maintainership. No
> time.

OK, thanks for the very quick (as usual) reply, Marc.

I'm not fond of reassigning "my/our" bugs to others but in that case, this
bug would become a request to add a plugin for NIS to adduser...as
soon as the plugin or similar mechanism is implemented in adduser..:-)

Would you bother me to reassign this to adduser or do you have
already requests for NIS account management for it ?

About adduser maintainership, what is your current setup? Do you have
a team setup or is the package basically maintained by just you?

The shadow revival we recently made has given me some ideas about team
package maintenance I'd like to share (in fact, this is a bit too late
but I intended to talk about this at debconf....still maybe for an
informal BOF if I have enough courage...)

Message #40 received at 134473@bugs.debian.org (full text, mbox, reply):

From: Martin Quinson <martin.quinson@loria.fr>

To: 134473@bugs.debian.org

Cc: nis@packages.debian.org

Subject: Re: Bug#134473: [Pkg-shadow-devel] Bug#134473: Is someone able to understand what is requested in #134473?

Date: Tue, 17 May 2005 08:45:22 +0200

[Message part 1 (text/plain, inline)]

On Tue, May 17, 2005 at 07:28:25AM +0200, Christian Perrier wrote:
> (enlarging the discussion again..:-)). See http://bugs.debian.org/134473
> 
> > > I'm CCing debian NIS packager (hello Miquel) to see what he think about it.
> > > [For the context, shadow packaging just changed into a team effort, and
> > >  we're doing massive bug triage]
> > 
> > Well actually nowadays Mark Brown does most (the last few releases,
> > all) of the work on NIS.
> > 
> > But it's probably not a bad idea to make the tools more flexible.
> > It sure beats vi :)
> 
> 
> Well, I will need to be convinced..:-)
> 
> Up to now, we are still looking at useradd/userdel as "low-level"
> tools and thus the "high-level" functionality is better be integrated
> into adduser/deluser.
> 
> We also have, for instance, a request to make useradd add users in
> LDAP backends and we could even end up in requests to be able to add
> users in "winbind" backends one can have with the samba package (users
> authenticated against a NT domain).
> 
> I'm very reluctant to push such feature requests to upstream shadow
> and ask it with all possible name services systems.

Well, we're not exactly speaking of adding a whole new mecanism, I think,
but of allowing the tools to do exactly the same work on other files. For
sake of helping nis users. It's a valuable goal which is easy to achieve.

I vote +1 for it.

If Mark and Miquel confirm that this would indeed help nis user (and thus
confirm that this is probably the submitter request), I'll prepare a patch.
Once the technical issue will be solved, the complexity of the solution may
help in the political discussion about whether we want it ;)

Tomasz, what's you opinion on this one?

Bye, Mt.

[signature.asc (application/pgp-signature, inline)]

Message #45 received at 134473@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Christian Perrier <bubulle@debian.org>

Cc: 134473@bugs.debian.org, nis@packages.debian.org, adduser@packages.debian.org

Subject: Re: Bug#134473: [Adduser-devel] Re: Bug#134473: [Pkg-shadow-devel] Bug#134473: Is someone able to understand what is requested in #134473?

Date: Tue, 17 May 2005 09:48:00 +0200

Hi,

On Tue, May 17, 2005 at 08:36:46AM +0200, Christian Perrier wrote:
> I'm not fond of reassigning "my/our" bugs to others but in that case, this
> bug would become a request to add a plugin for NIS to adduser...as
> soon as the plugin or similar mechanism is implemented in adduser..:-)

I think that the new adduser will probably be an entirely new package.

> Would you bother me to reassign this to adduser or do you have
> already requests for NIS account management for it ?

Feel free to reassign, but that bug will quickly catch a "severity
wishlist, tags wontfix help".

> About adduser maintainership, what is your current setup? Do you have
> a team setup or is the package basically maintained by just you?

Adduser used to be maintained by Roland Bauerschmidt, and he accepted
me as a co-maintainer in 2004. He is quite busy with openldap, I am
quite busy with exim4, and thus only urgent bugs or easily fixable
items get addressed. I understand that Roland has some ideas about the
next generation adduser, but I surely don't plan on putting any time
into that. From the degree of Roland's participation in adduser in the
last months, I guess that he is swamped with work as well.

So it looks like next generation adduser will be a completely
different package written by somebody else, and that a plugin
architecture in the current adduser won't happen any time soon.

Actually, I got involved with adduser maintainership when I needed
some minor changes to make package account creation easier. These
issues are addressed, which kind of concludes my interest in adduser.
I'll try to keep the package free of RC bugs, and fix trivial
requests, but investing any time into big architectural changes are a
non-option for me.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Send a report that this bug log contains spam.