glibc/hesiod
Ulrich Drepper b17277cfa2 Update.
1998-05-15 14:36  Ulrich Drepper  <drepper@cygnus.com>

	* posix/wordexp-test.c: Avoid duplicate messages.

	* sysdeps/generic/setenv.c: Use __tfind and __tsearch, not tfind and
	tsearch.  Correctly interpret values returned by those functions.
	(unsetenv): Store pointer to string, not pointer to string pointer.

	* time/tzfile.c (__tzfile_compute): Take new arguments.  Store
	DST information and offset in them.
	* time/tzset.c (__tz_convert): Pass extra parameters to
	__tzfile_compute.  Compute equivalent values for use of tz_rules.

1998-05-15 00:49:11  Zack Weinberg  <zack@rabi.phys.columbia.edu>

	* iconvdata/Makefile (gen-8bit-table): Use move-if-change and
	stamp files to avoid unnecessary recompilation.
	(gen-8bit-gap-table): Likewise.
	(move-if-change): New variable.
	(all generated .h rules): Change to be .stmp rules.
	(%.h): New rule; depend on %.stmp; no commands.
	(distribute): Add gen-8bit.sh, gen-8bit-gap.sh,
	gen-8bit-gap-1.sh.

1998-05-15 01:09  Zack Weinberg  <zack@rabi.phys.columbia.edu>

	* Makerules (libc-map): Deleted.
	(load-map-file): Set to the appropriate compiler switch, not
	just the file name.  If libfoo-map is not set, look for a
	libfoo.map in the current directory and $(..).
	(map-file): New variable, contains just the mapfile name.
	(build-shlib): Adjust for new value of load-map-file.
	(libc.so): Correct dependencies.

	* extra-lib.mk: Correct shlib dependencies since libfoo-map
	may not be set anymore.

	* elf/Makefile: Set ld-map to $(..)libc.map, not $(libc-map).
	Delete libdl-map.  Tweak ld.so link rule to work with changed
	variable settings in Makerules.
	* iconvdata/Makefile: Tweak build-module to work with changed
	variable settings in Makerules.

	* db/Makefile: Delete libdb-map.
	* hesiod/Makefile: Delete libnss_hesiod-map.
	* linuxthreads/Makefile: Delete libpthread-map.
	* locale/Makefile: Delete libBrokenLocale-map.
	* login/Makefile: Delete libutil-map.
	* math/Makefile: Delete libm-map.
	* md5-crypt/Makefile: Delete libcrypt-map.
	* nis/Makefile: Delete libnsl-map, libnss_nis-map,
	libnss_nisplus-map, and libnss_compat-map.
	* nss/Makefile: Delete libnss_files-map, libnss_db-map, and
	libnss_ldap-map.
	* resolv/Makefile: Delete libresolv-map and libnss_dns-map.
	* rt/Makefile: Delete librt-map.

1998-05-15 01:06  Zack Weinberg  <zack@rabi.phys.columbia.edu>

	* configure.in: Instead of substituting `yes' or `no' for whether
	--no-whole-archive is available, set @no_whole_archive@ to the
	appropriate gcc switch or the empty string.  Likewise for
	-fno-exceptions.
	* config.make.in: Replace have-no-whole-archive with
	no-whole-archive and have-no-exceptions with no-exceptions.
	* Makerules: Delete stanzas setting no-whole-archive and
	no-exceptions.

	* sunrpc/Makefile: Use move-if-change to update generated .h
	and .c files.

1998-05-13  Andreas Schwab  <schwab@issan.informatik.uni-dortmund.de>

	* wcsmbs/wcsmbsload.c (extract_charset_name): Use strcspn instead
	of strchr loop.

1998-05-15  Andreas Jaeger  <aj@arthur.rhein-neckar.de>

	* time/tzfile.c (__tzfile_read): Remove unused variable info.
	(__tzfile_compute): Likewise.

1998-05-15  Andreas Jaeger  <aj@arthur.rhein-neckar.de>

	* sysdeps/unix/sysv/linux/bits/socket.h (AF_SNA,PF_SNA): Add new
	defines from Linux 2.1.102.
1998-05-15 14:46:36 +00:00
..
nss_hesiod Update. 1997-12-08 03:06:47 +00:00
hesiod_p.h Update. 1997-09-16 00:42:43 +00:00
hesiod.c Update. 1998-02-20 18:45:36 +00:00
hesiod.h Update. 1997-09-16 00:42:43 +00:00
libnss_hesiod.map Update. 1998-02-18 11:00:24 +00:00
Makefile Update. 1998-05-15 14:46:36 +00:00
README.hesiod Update. 1997-09-21 01:47:02 +00:00

The GNU C library contains an NSS module for the Hesiod name service.
Hesiod is a general name service for a variety of applications and is
based on the Berkeley Internet Name Daemon (BIND).

Introduction
============

The Hesiod NSS module implements access to all relevant standard
Hesiod types, which means that Hesiod can be used for the `group',
`passwd' and `services' databases.  There is however a restriction.
In the same way that it is impossible to use `gethostent()' to iterate
over all the data provided by DNS, it is not possible to scan the
entire Hesiod database by means of `getgrent()', `getpwent()' and
`getservent()'.  Besides, Hesiod only provides support for looking up
services by name and not for looking them up by port.  In essence this
means that the Hesiod name service is only consulted as a result of
one of the following function calls:

  * getgrname(), getgrgid()
  * getpwname(), getpwuid()
  * getservbyname()

and their reentrant counterparts.


Configuring your systems
========================

Configuring your systems to make use use the Hesiod name service
requires one or more of the following steps, depending on whether you
are already running Hesiod in your network.

Configuring NSS
---------------

First you should modify the file `/etc/nsswitch.conf' to tell
NSS for which database you want to use the Hesiod name service.  If
you want to use Hesiod for all databases it can handle your
configuration file could look like this:

  # /etc/nsswitch.conf
  #
  # Example configuration of GNU Name Service Switch functionality.
  #

  passwd:	  db files hesiod
  group:	  db files hesiod
  shadow:	  db files

  hosts:	  files dns
  networks:	  files dns

  protocols:	  db files
  services:	  db files hesiod
  ethers:	  db files
  rpc:		  db files

For more information on NSS, please refer to the `The GNU C Library
Reference Manual'.


Configuring Hesiod
------------------

Next, you will have to configure Hesiod.  If you are already running
Hesiod in your network, you probably already have a file named
`hesiod.conf' on your machines (probably as `/etc/hesiod.conf' or
`/usr/local/etc/hesiod.conf').  The Hesiod NSS module expects this
file to be found in the sysconfdir (`/usr/local/etc/hesiod.conf' by
default, see the installation notes on how to change this) or in the
location specified by the environment variable `HESIOD_CONFIG'.  If
there is no configuration file you will want to create your own.  It
should look something like:

  rhs=.your.domain
  lhs=.ns

The value of rhs can be overridden by the environment variable
HES_DOMAIN.

Configuring your name servers
-----------------------------

In addition, if you are not already running Hesiod in your network,
you need to create Hesiod information on your central name servers.
You need to run `named' from BIND 4.9 or higher on these servers, and
make them authoritative for the domain `ns.your.domain' with a line in
`/etc/named.boot' reading something like:

  primary         ns.your.domain          named.hesiod

or if you are using the new BIND 8.1 or higher add something to
`/etc/named.conf' like:

  zone "ns.your.domain" {
          type master;
          file "named.hesiod";
  };

Then in the BIND working directory (usually `/var/named') create the
file `named.hesiod' containing data that looks something like:

  ; SOA and NS records.
  @       IN      SOA     server1.your.domain admin-address.your.domain (
                  40000           ; serial - database version number
                  1800            ; refresh - sec servers
                  300             ; retry - for refresh
                  3600000         ; expire - unrefreshed data
                  7200 )          ; min
                  NS      server1.your.domain
                  NS      server2.your.domain

  ; Actual Hesiod data.
  libc.group      TXT     "libc:*:123:gnu,gnat"
  123.gid         CNAME   libc.group
  gnu.passwd      TXT     "gnu:*:4567:123:GNU:/home/gnu:/bin/bash"
  456.uid         CNAME   mark.passwd
  nss.service     TXT     "nss;tcp;789;switch sw "
  nss.service     TXT     "nss;udp;789;switch sw"

where `libc' is an example of a group, `gnu' an example of an user,
and `nss' an example of a service.  Note that the format used to
describe services differs from the format used in `/etc/services'.
For more information on `named' refer to the `Name Server Operations
Guide for BIND' that is included in the BIND distribution.


Security
========

Note that the information stored in the Hesiod database in principle
is publicly available.  Care should be taken with including vulnerable
information like encrypted passwords in the Hesiod database.  There
are some ways to improve security by using features provided by
`named' (see the discussion about `secure zones' in the BIND
documentation), but one should keep in mind that Hesiod was never
intended to distribute passwords.  In the origional design
authenticating users was the job of the Kerberos service.


More information
================

For more information on the Hesiod name service take a look at some of
the papers in ftp://athena-dist.mit.edu:/pub/ATHENA/usenix and the
documentation that accompanies the source code for the Hesiod name
service library in ftp://athena-dist.mit.edu:/pub/ATHENA/hesiod.

There is a mailing list at MIT for Hesiod users, hesiod@mit.edu.  To
get yourself on or off the list, send mail to hesiod-request@mit.edu.