We split naming services from authentication services because they are
not the same thing.  Any nsswitch module that provides a crypted-password
field is enough to make pam_unix work, so nss_ldap + pam_unix can be used
for authentication.  Problem being that this is not enough (users can't
change their passwords with this setup), and you can't assume nss_ldap
implies that pam_ldap is the right thing to use, because the network might
just as likely be using Kerberos for authentication.

Currently, we read and parse the "passwd" entry in /etc/nsswitch.conf to
get the client configuration.  We always assume that "files" is enabled,
and don't preserve order or control flags.  Depending on what is enabled,
we write out entries in the file, adding modules for a particular service
based on a priori knowledge of whether or not a particular module is
applicable to the service.  Becase we control nis, hesiod, and ldap, we
add and remove those always.  We preserve "db" and "nisplus" if we found
them being used.

PAM configuration only touches /etc/pam.d/system-auth.  We assume pam_unix
first.  If enabled, pam_krb5 or pam_krb5afs comes next, then pam_ldap.
For passwords, pam_cracklib goes first.  All services use pam_limits.  Not
all can use pam_access, so we'll have to mod PAM configs as packages churn.

The code is roughly divided into two modules: the back and the front.  The
back is in authinfo.[ch], and the front is authconfig.c.  They communicate
by using the authInfoRead() and authInfoWrite() functions.  The rest is
gravy.

Logic that warns about needed packages and restarts services as needed is
only in the front-end.  Putting that in the back-end isn't worth it until
we actually have another front-end.
