[CalendarServer-users] PAM Authentication?

David Reid dreid at apple.com
Thu Jan 10 14:43:13 PST 2008

Hi Stephen,

On Jan 10, 2008, at 1:10 PM, Stephen Bowman wrote:

> Has anyone looked into implementing a Directory Service for PAM (or  
> system) authentication?  For apache authorization, I typically use  
> pwauth (which works quite well), and I noticed that there are Apache  
> Directory Services, but it's not possible (as far as I can tell) to  
> leverage pwauth with these.  To configure pwauth, the magic occurs  
> in httpd.conf pointing at pwauth - there really is no htpasswd file.

It is definitely possible to use PAM for authentication, there are PAM  
bindings for Python, and there is a recent Twisted ticket about adding  
the necessary implementation for verifying credentials. ( http://twistedmatrix.com/trac/ticket/2970 
  )  However the IDirectoryService API also handles provisioning,  
which I don't think PAM exposes.

It may however be perfectly acceptable to create a directory service  
that uses PAM for authentication and either the XML or SQL  
IDirectoryService for provisioning.

Now work has been done in this area however, Apple doesn't use PAM  
very heavily.   But here are some pointers in case someone on the list  
is interested in contributing.

Twisted Cred

(We basically need a new IUsernamePassword supporting  
ICredentialChecker implementation.)

Python PAM binding using Ctypes

More Python PAM bindings

The IDirectoryService interfaces

It looks like you'll need to override  
IDirectoryRecord.verifyCredentials on the DirectoryRecord  
implementation for the service you'd like to use (xmlfile or sqldb  
should both be possible.)


More information about the calendarserver-users mailing list