We split naming services from authentication services because they are
not the same thing.  Any nsswitch module that provides a crypted-password
field is enough to make pam_unix work, so nss_ldap + pam_unix can be used
for authentication.  Problem being that this is not enough (users can't
change their passwords with this setup), and you can't assume nss_ldap
implies that pam_ldap is the right thing to use, because the network might
just as likely be using Kerberos for authentication.

Currently, we read and parse the "passwd" entry in /etc/nsswitch.conf to
get the client configuration.  We always assume that "files" is enabled,
and don't preserve order or control flags.  Depending on what is enabled,
we write out entries in the file, adding modules for a particular service
based on a priori knowledge of whether or not a particular module is
applicable to the service.  Because we control nis, hesiod, ldap, and winbind,
we add and remove those always.  We preserve "db" and "nisplus" if we found
them being used.

PAM configuration only touches /etc/pam.d/system-auth.  We assume pam_unix
first.  If enabled, pam_krb5 (or if /afs exists) pam_krb5afs comes next,
then pam_ldap, then pam_winbind.  For passwords, pam_cracklib goes first.
All services use pam_limits.  Not all can use pam_access (which requires that
a TTY is set by the calling application).

The code is roughly divided into two modules: the back and the front.  The
back is in authinfo.[ch], and the front is authconfig.c.  They communicate
by using the authInfoRead() and authInfoWrite() functions.  The rest is
gravy, so to speak.
