[CalendarServer-users] PAM Authentication?
Stephen Bowman
sbbowman at gmail.com
Fri Jan 11 05:26:04 PST 2008
Yes, that is what I thought. I, and I think many many others, would like to
use PAM for just the authentication piece, and then fall on another
directory service (XML) to do the provisioning.
On Jan 10, 2008 5:43 PM, David Reid <dreid at apple.com> wrote:
> Hi Stephen,
>
> On Jan 10, 2008, at 1:10 PM, Stephen Bowman wrote:
>
> > Has anyone looked into implementing a Directory Service for PAM (or
> > system) authentication? For apache authorization, I typically use
> > pwauth (which works quite well), and I noticed that there are Apache
> > Directory Services, but it's not possible (as far as I can tell) to
> > leverage pwauth with these. To configure pwauth, the magic occurs
> > in httpd.conf pointing at pwauth - there really is no htpasswd file.
>
> It is definitely possible to use PAM for authentication, there are PAM
> bindings for Python, and there is a recent Twisted ticket about adding
> the necessary implementation for verifying credentials. (
> http://twistedmatrix.com/trac/ticket/2970
> ) However the IDirectoryService API also handles provisioning,
> which I don't think PAM exposes.
>
> It may however be perfectly acceptable to create a directory service
> that uses PAM for authentication and either the XML or SQL
> IDirectoryService for provisioning.
>
> Now work has been done in this area however, Apple doesn't use PAM
> very heavily. But here are some pointers in case someone on the list
> is interested in contributing.
>
> Twisted Cred
> http://twistedmatrix.com/projects/core/documentation/howto/cred.html
>
> (We basically need a new IUsernamePassword supporting
> ICredentialChecker implementation.)
>
> Python PAM binding using Ctypes
> http://pypi.python.org/pypi/pam/0.1.2
>
> More Python PAM bindings
> http://pypi.python.org/pypi/spypam/1.0
>
> The IDirectoryService interfaces
>
> http://trac.macosforge.org/projects/calendarserver/browser/CalendarServer/trunk/twistedcaldav/directory/idirectory.py
>
> It looks like you'll need to override
> IDirectoryRecord.verifyCredentials on the DirectoryRecord
> implementation for the service you'd like to use (xmlfile or sqldb
> should both be possible.)
>
> -David
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-users/attachments/20080111/083e681a/attachment.html
More information about the calendarserver-users
mailing list