Some passdbs like PAM can't really return any extra fields. Also some people have wanted to combine users' data from different passdb/userdbs so that for example you'd have userdb passwd give the uid/gid/home, but then you'd also have some other userdb give quota limits.
So I was thinking something like this:
passdb { driver = pam } passdb { driver = sql include = yes }
or:
userdb { driver = passwd } userdb { driver = passwd-file include = yes }
I'm not sure about two things:
Should there be a way to replace all of the existing fields instead of just adding new ones?
Any thoughts of a better name than "include"? With passdb it would mean that it's included only when the authentication failed for some other passdb. With userdb it means it's included only if a previous userdb lookup succeeded.
Also there are already "deny" and "pass" settings. Interaction with them can be somewhat confusing.. Maybe all of these should be replaced with:
type=deny: Same as old deny=yes (deny auth if user is in list) type=precondition(?): Same as pass=yes (require another passdb to match) type=postcondition(?): Require user to exist in this passdb/userdb as well, adding any extra fields in it. type=add: Add any extra fields, if the user exists at all.
(Better ideas for the names here? Is even "type" a good name?)
Then maybe a new setting to delete existing extra fields .. or perhaps just extend passdb { override_fields } so that having "-field" would delete the field if it already existed..