[Freeipa-devel] [PATCH] move LOCAL auth into a separate backend

[Simo Sorce]

On Fri, 2009-05-29 at 14:34 +0200, Sumit Bose wrote:
> Hi,
> 
> this patch moves the authentication/PAM components for the LOCAL backend
> from the responder to a separate backend. I have mostly copied the old
> code to the new location and added the backend glue-code. Additionally I
> have change the logic how pam_status is handled. It is now set to
> PAM_SYSTEM_ERR in the beginning and has to be change explicitly when a
> pam operation succeeds.
> 
> I would like to make sssd_be a little more flexible by allowing backends
> to implement either auth or id without the necessity to add the
> glue-code for the other. If this is a good idea I can write a patch.

You don't need to add any glue code.
sssd_be already opens 2 different .so files (they may be the same file
of course), and just loads either the id part or the auth part.

The problem here (and the reason why I didn't provide this patch myself)
is that LOCAL is a special "non"-backend.
I am yet not sure I like the idea of moving LOCAL auth in a backend.
Our model is that auth backends make sense only as dependent on an id
backend. But LOCAL has no id backend in its own right because it is all
just available in the cache.

If we want to make this a complete real backend on its own then maybe we
should separate the LOCAL database and the cache database in 2 file.
Create a real LOCAL backend, and live with the fact we have duplicate
data (once in LOCAL.ldb and once in cache.ldb)

This seems a bit redundant, but it would allow someone to rm cache.ldb
without fear of losing actual accounts.

If we all agree that clear interface separation and data separation is
enough of a goal to offset some duplication then maybe this is what we
should do.

This will probably require also some work on sysdb as we will have to
account for 2 different databases.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York