Prashanth Sundaram wrote:
Thank you Rich,“so if you have some PAM module that can auth against AD (except LDAP which probably won't work) you can configure PAM passthrough to pass the auth to that PAM module, then to AD”Are you implying, the FDS will go out of picture with PAM? I mean, can I still use FDS to check the uid attribute and then pass it to PAM?I am sorry, but I am not getting the flow clearly.
The flow with login will typically go like this: user types in username + password client does a search for uid=username - gets back the users full DN client does a BIND request with full BIND DN + passwordDS PAM passthrough intercepts the bind request - uses the rule to extract the PAM userid from the BIND DN or user's entry (default will use the value of the uid=userid from the BIND DN) - PAM passthrough plugin passes the auth userid and password to PAM (assumes properly configured PAM stack for use by DS) - PAM passthrough plugin will accept or reject the BIND request based on the PAM auth results - the plugin can optionally continue the BIND to use regular DS authentication if the PAM auth failed
So the real problem here is figuring out what type of PAM stack to use to authenticate to AD - note that pam_ldap will likely not work because that would load the openldap libraries into the DS process which will conflict with the mozldap libraries used by DS - so something else, perhaps winbind? I just don't know
Can you type in rough, how the flow goes? (Hopefully someone might come this way and find this helpful)------------------------------------------------------------------------ -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
