[CalendarServer-users] PAM Authentication?

Stephen Bowman sbbowman at gmail.com
Fri Jan 11 05:26:04 PST 2008

Yes, that is what I thought.  I, and I think many many others, would like to
use PAM for just the authentication piece, and then fall on another
directory service (XML) to do the provisioning.

On Jan 10, 2008 5:43 PM, David Reid <dreid at apple.com> wrote:

> Hi Stephen,
> On Jan 10, 2008, at 1:10 PM, Stephen Bowman wrote:
> > Has anyone looked into implementing a Directory Service for PAM (or
> > system) authentication?  For apache authorization, I typically use
> > pwauth (which works quite well), and I noticed that there are Apache
> > Directory Services, but it's not possible (as far as I can tell) to
> > leverage pwauth with these.  To configure pwauth, the magic occurs
> > in httpd.conf pointing at pwauth - there really is no htpasswd file.
> It is definitely possible to use PAM for authentication, there are PAM
> bindings for Python, and there is a recent Twisted ticket about adding
> the necessary implementation for verifying credentials. (
> http://twistedmatrix.com/trac/ticket/2970
>  )  However the IDirectoryService API also handles provisioning,
> which I don't think PAM exposes.
> It may however be perfectly acceptable to create a directory service
> that uses PAM for authentication and either the XML or SQL
> IDirectoryService for provisioning.
> Now work has been done in this area however, Apple doesn't use PAM
> very heavily.   But here are some pointers in case someone on the list
> is interested in contributing.
> Twisted Cred
> http://twistedmatrix.com/projects/core/documentation/howto/cred.html
> (We basically need a new IUsernamePassword supporting
> ICredentialChecker implementation.)
> Python PAM binding using Ctypes
> http://pypi.python.org/pypi/pam/0.1.2
> More Python PAM bindings
> http://pypi.python.org/pypi/spypam/1.0
> The IDirectoryService interfaces
> http://trac.macosforge.org/projects/calendarserver/browser/CalendarServer/trunk/twistedcaldav/directory/idirectory.py
> It looks like you'll need to override
> IDirectoryRecord.verifyCredentials on the DirectoryRecord
> implementation for the service you'd like to use (xmlfile or sqldb
> should both be possible.)
> -David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-users/attachments/20080111/083e681a/attachment.html

More information about the calendarserver-users mailing list