[systemd-devel] Some questions on userdbd and providing a compatible service
Dominik George
nik at naturalnet.de
Wed Nov 23 23:58:25 UTC 2022
Hi,
for some time now, I have been investigating how to best make a
desktop system talk to a web API (HTTP, REST) for user management, so
NSS and PAM make HTTP requests to an API to verify authentication
(using OIDC) and to retrieve NIS information (using REST endpoints).
One of the approaches I am evaluating involves systemd-userdbd,
because it seems to be designed with extensibility with modular
service implementations in mind.
Right now, I have a few questions concerning its architecture and use:
* Why was Varlink chosen over D-Bus, given that most other parts of
systemd seem to talk D-Bus?
* How does protection of privileged fields work? In a different
approach (using my own gRPC-based protocol), I used peer
credentials on the UNIX socket for authorisation, but it seems this
should break with userdbd when going through the
multipelxer. However, I see "Warning: lacking rights to acquire
privileged fields of user record of 'testnik', output incomplete."
when I try to inspect another user as an unprivileged user. How
does userdbd determine that?
* userdbd only helps for user information, i.e. for providing data to
NSS through a decoupled interface. I would need to do the same for
PAM, but intil now, I could not find an existing standard for
verifying credentials. Was that just not done yet, or is there a
design decision that userdbd should not offer methods for
authentication? I see that systemd-homed implements its own API
through D-Bus…
* Ultimately, I would like to retrieve and store an OAuth token on
user login. It would somehow be a good fit for the "secret" section
of the User Record, but the fields allowed in it seem to be
static. Are there any ideas around here where such a token could be
stored during the user session?
Thanks for your help,
Nik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 297 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20221124/e14b0b67/attachment.sig>
More information about the systemd-devel
mailing list