[389-users] Re: Password lookup to AD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Prashanth Sundaram wrote:
> Thank you Rich,
>
> ?so if you have some PAM module that can auth against AD (except LDAP 
> which probably won't work) you can configure PAM passthrough to pass 
> the auth to that PAM module, then to AD?
>
> Are you implying, the FDS will go out of picture with PAM? I mean, can 
> I still use FDS to check the uid attribute and then pass it to PAM?
> I am sorry, but I am not getting the flow clearly.
The flow with login will typically go like this:
user types in username + password
client does a search for uid=username - gets back the users full DN
client does a BIND request with full BIND DN + password
DS PAM passthrough intercepts the bind request - uses the rule to 
extract the PAM userid from the BIND DN or user's entry (default will 
use the value of the uid=userid from the BIND DN) - PAM passthrough 
plugin passes the auth userid and password to PAM (assumes properly 
configured PAM stack for use by DS) - PAM passthrough plugin will accept 
or reject the BIND request based on the PAM auth results - the plugin 
can optionally continue the BIND to use regular DS authentication if the 
PAM auth failed

So the real problem here is figuring out what type of PAM stack to use 
to authenticate to AD - note that pam_ldap will likely not work because 
that would load the openldap libraries into the DS process which will 
conflict with the mozldap libraries used by DS - so something else, 
perhaps winbind? I just don't know
>
> Can you type in rough, how the flow goes? (Hopefully someone might 
> come this way and find this helpful)
>
>
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090714/07319973/attachment.bin
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux