[systemd-devel] Some questions on userdbd and providing a compatible service

Dominik George nik at naturalnet.de
Wed Nov 23 23:58:25 UTC 2022


Hi,

for some time now, I have been investigating how to best make a
desktop system talk to a web API (HTTP, REST) for user management, so
NSS and PAM make HTTP requests to an API to verify authentication
(using OIDC) and to retrieve NIS information (using REST endpoints).

One of the approaches I am evaluating involves systemd-userdbd,
because it seems to be designed with extensibility with modular
service implementations in mind.

Right now, I have a few questions concerning its architecture and use:

 * Why was Varlink chosen over D-Bus, given that most other parts of
   systemd seem to talk D-Bus?

 * How does protection of privileged fields work? In a different
   approach (using my own gRPC-based protocol), I used peer
   credentials on the UNIX socket for authorisation, but it seems this
   should break with userdbd when going through the
   multipelxer. However, I see "Warning: lacking rights to acquire
   privileged fields of user record of 'testnik', output incomplete."
   when I try to inspect another user as an unprivileged user. How
   does userdbd determine that?

 * userdbd only helps for user information, i.e. for providing data to
   NSS through a decoupled interface. I would need to do the same for
   PAM, but intil now, I could not find an existing standard for
   verifying credentials. Was that just not done yet, or is there a
   design decision that userdbd should not offer methods for
   authentication? I see that systemd-homed implements its own API
   through D-Bus…

 * Ultimately, I would like to retrieve and store an OAuth token on
   user login. It would somehow be a good fit for the "secret" section
   of the User Record, but the fields allowed in it seem to be
   static. Are there any ideas around here where such a token could be
   stored during the user session?

Thanks for your help,
Nik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 297 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20221124/e14b0b67/attachment.sig>


More information about the systemd-devel mailing list