Custom libnss module development - alternative to /etc/nsswitch.conf

Question

Created 5d

Replies 2

Boosts 0

Participants 2

I am an open source developer, who just switched to macOS a few weeks ago.

I am basically looking for an alternative to Linux' /etc/nsswitch.conf. Not for custom DNS resolution, that's an easy problem to solve, but for users / groups / hosts resolution via custom network modules. Basically looking for a way how I can hook up into the OS in kind of the same way as an LDAP client would do, and provide my own NSS modules.

Just for reference, I am developing rauthy which can do PAM authn / authz in combination with rauthy-pam-nss. It works perfectly fine on Linux systems, and I now want to make it work on macOS as well.

I already know that macOS is running its mDNSResponder for DNS instead of having the nsswitch.conf, but I have not found an answer for users, groups and hosts.

Answered by DTS Engineer in 868622022

On macOS the traditional Unix-y directory APIs — things get getpwent — are implemented within libinfo. That delegates the work to the Open Directory API [1], which in turn defers to opendirectoryd [2]. That supports various back ends via a plug-in mechanism:

Historically there was a Directory Service plug-in API.
These days that’s been supplanted by Open Directory modules.

My understanding is that it is possible to develop a third-party OD module to provide access to custom directory records. However, it’s not for the faint of heart.

For example, the documentation for this, known as the Open Directory Plug-in Programming Guide, was only even available in the Documentation Archive and has now been removed in favour of platform SSO. You can, however, still find a copy of The Wayback Machine [3].

But that raises the question of whether you should go down this path at all. Open Directory modules were only ever supported on macOS, so they’ve never been available on iOS or any of its child platforms. In contrast, all of our platforms support identity providers (IdP’s) via more modern APIs — app and platform SSO app extensions — and that’s clearly the direction we’re heading.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] This is public API, both for Objective-C and C, but the implementation is not part of the Darwin open source.

[2] See the opendirectoryd man page.

[3] https://web.archive.org/web/20240424133610/https://developer.apple.com/library/archive/documentation/Networking/Conceptual/Open_Dir_Plugin/Introduction/Introduction.html#//apple_ref/doc/uid/TP40000918

Boost

Answer 1

DTS Engineer OP

Apple

3d

Accepted Answer

Recommended

On macOS the traditional Unix-y directory APIs — things get getpwent — are implemented within libinfo. That delegates the work to the Open Directory API [1], which in turn defers to opendirectoryd [2]. That supports various back ends via a plug-in mechanism:

Historically there was a Directory Service plug-in API.
These days that’s been supplanted by Open Directory modules.

My understanding is that it is possible to develop a third-party OD module to provide access to custom directory records. However, it’s not for the faint of heart.

For example, the documentation for this, known as the Open Directory Plug-in Programming Guide, was only even available in the Documentation Archive and has now been removed in favour of platform SSO. You can, however, still find a copy of The Wayback Machine [3].

But that raises the question of whether you should go down this path at all. Open Directory modules were only ever supported on macOS, so they’ve never been available on iOS or any of its child platforms. In contrast, all of our platforms support identity providers (IdP’s) via more modern APIs — app and platform SSO app extensions — and that’s clearly the direction we’re heading.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] This is public API, both for Objective-C and C, but the implementation is not part of the Darwin open source.

[2] See the opendirectoryd man page.

[3] https://web.archive.org/web/20240424133610/https://developer.apple.com/library/archive/documentation/Networking/Conceptual/Open_Dir_Plugin/Introduction/Introduction.html#//apple_ref/doc/uid/TP40000918

1

Answer 2

sebadob OP

3d

Thank you very much for the detailed response.

My understanding is that it is possible to develop a third-party OD module to provide access to custom directory records. However, it’s not for the faint of heart.

That would usually be the way to go for me, but since platform SSO is kind of the successor, it's not the best idea, yes.

I had a quick first look at platform SSO and the tokens and claims already look quite a bit like OAuth / OIDC anyway, which would be even easier, if I can add my own custom IdP. I will dig deeper into this topic.

Thank you very much, that was super helpful!

1