But to achieve this, the Calendar Server would have to be running as root.&nbsp; The caller of the PAM functions has to be root... I can&#39;t think of an easy way around this.&nbsp; Anyone else?<br><br><div class="gmail_quote">On Jan 11, 2008 10:57 AM, Cyrus Daboo &lt;
<a href="mailto:cdaboo@apple.com">cdaboo@apple.com</a>&gt; wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi Stephen,<br><br>--On January 11, 2008 8:26:04 AM -0500 Stephen Bowman &lt;
<a href="mailto:sbbowman@gmail.com">sbbowman@gmail.com</a>&gt;<br>wrote:<br><div class="Ih2E3d"><br>&gt; Yes, that is what I thought. &nbsp;I, and I think many many others, would like<br>&gt; to use PAM for just the authentication piece, and then fall on another
<br>&gt; directory service (XML) to do the provisioning.<br>&gt;<br><br></div>In the short term you can do this:<br><br>- Configure the server to use the XML accounts.<br>- Then modify/override the<br>twistedcaldav.directory.xmlfile.XMLDirectoryRecord.verifyCredentials
 method<br>to do the PAM check returning True or False depdning on whether<br>authentication succeeds.<br><br>In the longer term we need to support a &quot;pluggable&quot; authentication<br>approach. That would probably involve changing the
<br>twistedcaldav.directory.directory.DirectoryService.requestAvatarId method<br>to accept &quot;pluggable&quot; credentials checkers. Note that right now we do have<br>that method hard-coded to recognize the Kerberos checker and use that. We
<br>just need to generalize that approach. Feel free to tackle that and send in<br>patches if you have time...<br><br>--<br><font color="#888888">Cyrus Daboo<br><br></font></blockquote></div><br>