Bite the bullet and do PAM configuration the Hard Way. (Using pam_stack to sidestep the thorniness of this problem was a hack.) * Per-service configuration, probably using a parallel array for each of the services we care about. Experimental model in authconfig.conf in this directory. Needs to be expandible using only configuration data. Probably will use alchemist for the final setup, because I hate writing parsers now. * Go from hard-coded knowledge of whether or not a module is applicable to a service to checking the module file itself for the appropriate function. Probing: * Probing DNS for Kerberos and LDAP configuration. To be added as a button for one-time use. - Use SRV RRs for LDAP, a la nss_ldap: _ldap._tcp. = priority weight port server (see RFC 2782) Convert to base DN using DC components in the way just about everything does (example.com -> "dc=example,dc=com") - Use SRV RRs for Kerberos realms, a la locate_kdc.c: _kerberos._udp. = priority weight port server (see RFC 2782) We have the realm, a server name, and the port number. Use all of them. _kerberos-master._udp. = priority weight port server (see RFC 2782) We have the realm, the admin server name, and the port number. * Probing for NIS servers and domains using broadcast RPC (servers can be done by calling the NULL function for the ypserv program, and we've only got YPPROC_DOMAIN for checking if a server supports a given domain). To be added as a button for one-time use. * An easy-to-parse way to dump what we think the current configuration is (for anaconda to use if we want to add probing for default options at install-time). UI issues: * Make it clear that no server set for NIS forces "use broadcast". Probably need to reintroduce that checkbox. * Make it clear that no server set for LDAP forces "use DNS". Probably needs a checkbox. * Make no settings for Kerberos force "use DNS", as above. * Glob /lib/libnss_{libc-version}*.so for a list of possible services, and hide others? * Hide LDAP/Kerberos/SMB authentication if modules for PAM not already present? New options: * Add an "Automatically create home directories on Logons" checkbox for calling pam_mkhomedir at login-time (suggested by Shanker Balan).