I have a number of ideas floating in my head about where to go next. I think my 'dream' would be the following, and would like input on it. Note that going down this road would probably be a challenge for me due to the fact I've never worked with sockets or threads. Let me know if you'd rather see some other enhancements to the 1.x series instead of this basically entirely new project.
Project X (as I'll call it for now) would support NSS and PAM, including password changes via PAM. It would do so by requiring an NSS library, a PAM library, and a daemon that the NSS library and PAM library talk to via sockets. The daemon would take care of funneling requests to the SQL server. The daemon would dynamically load the SQL driver needed (MySQL, Postgres, maybe ODBC, etc) This solves several problems:
1) Full PAM support (I can't do this under the current model without security implications)
2) Keep the DB connection count low
3) Enable more than just MySQL (this could be done in libnss-mysql though.. and I may do that anyway)
4) Perhaps speed things up especially in a multithreaded environment
I'd *really* like to get the nss library to the point where it opens a socket, asks for something, gets the answer, and closes the socket, for each and every call. That might be too slow, however. That would eliminate some *UGLY* hacks I've had to write into libnss-mysql around threading and forking.
I'd have to figure out some sort of authentication mechanism between the NSS/PAM libraries and the daemon.
I'd have to figure out how to properly write a multi-platform multi-threaded daemon.
I could even make the project more generic - e.g. create an API where ANY source of data could be used for a backend, without having to worry about the ugliness of sockets/TCP inside an NSS library (it really sucks). It would make coding for multiple servers / failover easier, too.
Thoughts?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've no real "thoughts" about a next version, just some random crap....
I just want to say I like the idea of a seperate deamon, that could really speed things up.
My major "wannahave" for a new version would be PAM support though. A friend of me is already developing a PAM passwd changing module, but while setting up my system I also encountered some points where full PAM support would be of use.
Nice ideas and good luck with the next version :)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
PAM support is going to be tricky. It's certainly easy enough to write one, however the MySQL password that's used to change a user's data could be extracted by a malicious user and then used to change anyone and everyone's password! I have to find out how to protect against this first. That's part of the reason for the daemon as well. FWIW the pam_mysql module out there does coexist with libnss-mysql if you have special PAM authentication needs.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
That looks like a good addition. I got your email (sorry I haven't replied recently) - you mention it's not working for authentication. You should be able to set up daemons (init scripts, xinetd, etc) to work with the environment variable too, though. Can you give me a specific example where this doesn't work?
I'm not actively developing libnss-mysql; instead, I'm working on the FSSOS project (the nsvs package). I do plan on getting features like the one you've created here into nsvs soon.
I have a number of ideas floating in my head about where to go next. I think my 'dream' would be the following, and would like input on it. Note that going down this road would probably be a challenge for me due to the fact I've never worked with sockets or threads. Let me know if you'd rather see some other enhancements to the 1.x series instead of this basically entirely new project.
Project X (as I'll call it for now) would support NSS and PAM, including password changes via PAM. It would do so by requiring an NSS library, a PAM library, and a daemon that the NSS library and PAM library talk to via sockets. The daemon would take care of funneling requests to the SQL server. The daemon would dynamically load the SQL driver needed (MySQL, Postgres, maybe ODBC, etc) This solves several problems:
1) Full PAM support (I can't do this under the current model without security implications)
2) Keep the DB connection count low
3) Enable more than just MySQL (this could be done in libnss-mysql though.. and I may do that anyway)
4) Perhaps speed things up especially in a multithreaded environment
I'd *really* like to get the nss library to the point where it opens a socket, asks for something, gets the answer, and closes the socket, for each and every call. That might be too slow, however. That would eliminate some *UGLY* hacks I've had to write into libnss-mysql around threading and forking.
I'd have to figure out some sort of authentication mechanism between the NSS/PAM libraries and the daemon.
I'd have to figure out how to properly write a multi-platform multi-threaded daemon.
I could even make the project more generic - e.g. create an API where ANY source of data could be used for a backend, without having to worry about the ugliness of sockets/TCP inside an NSS library (it really sucks). It would make coding for multiple servers / failover easier, too.
Thoughts?
I've no real "thoughts" about a next version, just some random crap....
I just want to say I like the idea of a seperate deamon, that could really speed things up.
My major "wannahave" for a new version would be PAM support though. A friend of me is already developing a PAM passwd changing module, but while setting up my system I also encountered some points where full PAM support would be of use.
Nice ideas and good luck with the next version :)
PAM support is going to be tricky. It's certainly easy enough to write one, however the MySQL password that's used to change a user's data could be extracted by a malicious user and then used to change anyone and everyone's password! I have to find out how to protect against this first. That's part of the reason for the daemon as well. FWIW the pam_mysql module out there does coexist with libnss-mysql if you have special PAM authentication needs.
Well I came a little later, anyway, I'm using nss-mysql to authenticate several domains hosted in the same server, something like http://savannah.nongnu.org/projects/nss-multidom/
Anyway, I added a few lines to lookup.c, just in case someone need them.
Cheers,
*********************************************************************
diff -Nupr libnss-mysql-1.4-orig/src/lookup.c libnss-mysql-1.4/src/lookup.c
--- libnss-mysql-1.4-orig/src/lookup.c 2004-11-13 12:09:49.000000000 -0600
+++ libnss-mysql-1.4/src/lookup.c 2005-04-29 00:23:37.731233776 -0500
@@ -20,6 +20,13 @@ static const char rcsid[] =
#include "nss_mysql.h"
#include <stdio.h> /* snprintf () */
+//Modified: by Carlos Vences
+//email: carlos@eekbalam.com
+//Started: Apr 25th 2005
+//Last Updated: Apr 25th 2005
+//Description: Added stdlib.h to read *nix environment variables
+// to provide multidomain support.
+#include <stdlib.h> /* getenv () */
#include <string.h> /* strcpy () */
extern conf_t conf;
@@ -67,7 +74,14 @@ _nss_mysql_build_query (lookup_t ltype,
}
if (_nss_mysql_escape_string (clean_name, name, mresult) != NSS_SUCCESS)
DSRETURN (NSS_UNAVAIL)
- retVal = snprintf (qout, MAX_QUERY_SIZE, qin, clean_name);
+ //Modified: by Carlos Vences
+ //TODO: Put envName out of this file lookup.h perhaps
+ char *envName="DOMAIN";
+
+ char *domain=getenv(envName);
+
+ retVal = snprintf (qout, MAX_QUERY_SIZE, qin, clean_name, domain);
+ //retVal = snprintf (qout, MAX_QUERY_SIZE, qin, clean_name);
if (retVal < 1 || retVal >= MAX_QUERY_SIZE)
{
_nss_mysql_log (LOG_CRIT, "%s: snprintf error: %d", FUNCNAME, retVal);
***************************************************************
Then I changed nss-mysql.cfg to:
--- libnss-mysql.cfg-orig 2005-04-29 00:41:48.475415456 -0500
+++ libnss-mysql.cfg 2005-04-26 17:54:06.000000000 -0500
@@ -1,35 +1,35 @@
getpwnam SELECT username,'x',uid,gid,gecos,homedir,shell \ FROM users \ - WHERE username='%1$s' \ + WHERE username='%1$s' AND domain='%2$s' \ LIMIT 1
getpwuid SELECT username,'x',uid,gid,gecos,homedir,shell \ FROM users \ - WHERE uid='%1$u' \ + WHERE uid='%1$u' AND domain='%2$s' \
and so on...
That looks like a good addition. I got your email (sorry I haven't replied recently) - you mention it's not working for authentication. You should be able to set up daemons (init scripts, xinetd, etc) to work with the environment variable too, though. Can you give me a specific example where this doesn't work?
I'm not actively developing libnss-mysql; instead, I'm working on the FSSOS project (the nsvs package). I do plan on getting features like the one you've created here into nsvs soon.
http://fssos.sf.net/