Hi Stephen,It is definitely possible to use PAM for authentication, there are PAM
On Jan 10, 2008, at 1:10 PM, Stephen Bowman wrote:
> Has anyone looked into implementing a Directory Service for PAM (or
> system) authentication? For apache authorization, I typically use
> pwauth (which works quite well), and I noticed that there are Apache
> Directory Services, but it's not possible (as far as I can tell) to
> leverage pwauth with these. To configure pwauth, the magic occurs
> in httpd.conf pointing at pwauth - there really is no htpasswd file.
bindings for Python, and there is a recent Twisted ticket about adding
the necessary implementation for verifying credentials. ( http://twistedmatrix.com/trac/ticket/2970
) However the IDirectoryService API also handles provisioning,
which I don't think PAM exposes.
It may however be perfectly acceptable to create a directory service
that uses PAM for authentication and either the XML or SQL
IDirectoryService for provisioning.
Now work has been done in this area however, Apple doesn't use PAM
very heavily. But here are some pointers in case someone on the list
is interested in contributing.
Twisted Cred
http://twistedmatrix.com/projects/core/documentation/howto/cred.html
(We basically need a new IUsernamePassword supporting
ICredentialChecker implementation.)
Python PAM binding using Ctypes
http://pypi.python.org/pypi/pam/0.1.2
More Python PAM bindings
http://pypi.python.org/pypi/spypam/1.0
The IDirectoryService interfaces
http://trac.macosforge.org/projects/calendarserver/browser/CalendarServer/trunk/twistedcaldav/directory/idirectory.py
It looks like you'll need to override
IDirectoryRecord.verifyCredentials on the DirectoryRecord
implementation for the service you'd like to use (xmlfile or sqldb
should both be possible.)
-David