So possibly someone else can benefit from this, here&#39;s the final resolution:<br><br>1) Installed pwauth (<a href="http://unixpapa.com/pwauth/">http://unixpapa.com/pwauth/</a>), which is exactly what Chris suggested as a simple highly secure routine to do the PAM authentication.&nbsp; One benefit of pwauth over various others out there is that at compile time you can set the UIDs of the user(s) that can run it.&nbsp; After compiling, the pwauth binary is setuid root so that it can perform the PAM lookups.
<br><br>2) Following Cyrus&#39;s advice, I modified the wistedcaldav.directory<div id="1epi" class="ArwC7c ckChnd">.xmlfile.XMLDirectoryRecord.verifyCredentials method as follows:<br></div><br>&nbsp;&nbsp;&nbsp; def verifyCredentials(self, credentials):
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proc1 = subprocess.Popen([&quot;/usr/local/libexec/pwauth&quot;], stdin=subprocess.PIPE, stdout=subprocess.PIPE)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proc1.communicate(credentials.username + &quot;\n&quot; + credentials.password + &quot;\n&quot;)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; returnval = proc1.poll()<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # A returnval of 0 means a successful authentication, anything else is a failure<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return returnval == 0<br><br>3) Digest HTTP authentication had to be turned OFF, and Basic had to be turned ON in the 
caldavd.plist configuration file.<br><br>Now, all users must exist in the XML file for provisioning, but the authentication piece is handled entirely by PAM.<br><br>If anyone has any problems repeating this, feel free to email me.
<br><br>Thanks,<br>-Stephen<br><br><div class="gmail_quote">On Jan 11, 2008 8:27 PM, Cyrus Daboo &lt;<a href="mailto:cdaboo@apple.com">cdaboo@apple.com</a>&gt; wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Chris,<br><br>--On January 11, 2008 5:04:43 PM -0600 Chris Cleeland<br><div class="Ih2E3d">&lt;<a href="mailto:chris@milodesigns.com">chris@milodesigns.com</a>&gt; wrote:<br><br>&gt;&gt; But to achieve this, the Calendar Server would have to be running as
<br>&gt;&gt; root. &nbsp;The caller of the PAM functions has to be root... I can&#39;t<br>&gt;&gt; think of an easy way around this. &nbsp;Anyone else?<br>&gt;<br>&gt; Call out to another daemon that ONLY does the PAM function. &nbsp;Let that
<br>&gt; other program be simple and highly secure, and let it run as root.<br><br></div>Right, that&#39;s the right approach.<br><br>Another option would be to support SASL and then configure PAM into SASL.<br>The CMU SASL does have a saslauthd that runs separately and can do PAM, I
<br>believe. You may already be using SASL for other services such as SMTP,<br>IMAP etc.<br><br>--<br><font color="#888888">Cyrus Daboo<br></font><div><div></div><div class="Wj3C7c"><br>_______________________________________________
<br>calendarserver-users mailing list<br><a href="mailto:calendarserver-users@lists.macosforge.org">calendarserver-users@lists.macosforge.org</a><br><a href="http://lists.macosforge.org/mailman/listinfo/calendarserver-users" target="_blank">
http://lists.macosforge.org/mailman/listinfo/calendarserver-users</a><br></div></div></blockquote></div><br>