Directory Server Authentication Pass through with Kerberos or saslauthd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Rich,

Configuring the pam plugin went really well, and was really
straighforward to follow, thanks for putting up the docs online and
writing the pam plugin. I  did have to pull over the 
libpam-passthru-plugin.so file from a copy of Fedora Directory Server
v1.1, since it doesn't look like Red Hat Directory Server 8.0  ships
with it,  the plugin lists as version 1.1 is that the appropriate
version of the library?

-Tim





Rich Megginson wrote:
> Tim Hartmann wrote:
>> Hi Rich thanks for the reply!
>>
>> Rich Megginson wrote:
>>  
>>>> http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through
>>>>
>>>> Which seems like it could work, but seems kind of like a hack for
>>>> what i'm trying to do and it seemed like I couldn't be the only one
>>>> who wanted to do it! I suspect there's something I'm just
>>>> missing!         
>>> That hack was invented for those who wanted to use Kerberos as the
>>> authoritative source for password information.  pampassthru passes the
>>> password to Kerberos via pam.
>>>
>>>     
>> Thats *really* what I'd like to do... actually keep Kerberos as my
>> authoritative source for password data, I was hoping there might have
>> been a saslauthd plugin that I may have missed to proxy passwords back
>> to ldap as well, or maybe some other step that I'd missed in my
>> research.
>>
>>
>>  
>>> If you're really interested in using Fedora DS as the authoritative
>>> source for password information, and have Kerberos use Fedora DS to
>>> store the passwords, you really need freeipa.org
>>>     
>>
>> We took a look at Freeipa.org but it didn't seem to as good a fit for us
>> especially since we wanted to keep Kerberos as our password store.  If I
>> can get simple binds to work through pam for those applications that
>> don't support GSS/SASL that would be a huge win!
>>
>>
>> Out of curiosity, was there any reason for proxing though pam rather
>> then something like saslauthd?   
> The people who wanted this feature didn't want the overhead of an
> additional server daemon (saslauthd).  They already had a pam stack
> that did kerberos auth and they just wanted Fedora DS to use that -
> pam passthru.
>>
>> Thanks again!
>>
>> Tim
>>
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux