[CalendarServer-users] PAM Authentication?
sbbowman at gmail.com
Fri Jan 11 05:26:04 PST 2008
Yes, that is what I thought. I, and I think many many others, would like to
use PAM for just the authentication piece, and then fall on another
directory service (XML) to do the provisioning.
On Jan 10, 2008 5:43 PM, David Reid <dreid at apple.com> wrote:
> Hi Stephen,
> On Jan 10, 2008, at 1:10 PM, Stephen Bowman wrote:
> > Has anyone looked into implementing a Directory Service for PAM (or
> > system) authentication? For apache authorization, I typically use
> > pwauth (which works quite well), and I noticed that there are Apache
> > Directory Services, but it's not possible (as far as I can tell) to
> > leverage pwauth with these. To configure pwauth, the magic occurs
> > in httpd.conf pointing at pwauth - there really is no htpasswd file.
> It is definitely possible to use PAM for authentication, there are PAM
> bindings for Python, and there is a recent Twisted ticket about adding
> the necessary implementation for verifying credentials. (
> ) However the IDirectoryService API also handles provisioning,
> which I don't think PAM exposes.
> It may however be perfectly acceptable to create a directory service
> that uses PAM for authentication and either the XML or SQL
> IDirectoryService for provisioning.
> Now work has been done in this area however, Apple doesn't use PAM
> very heavily. But here are some pointers in case someone on the list
> is interested in contributing.
> Twisted Cred
> (We basically need a new IUsernamePassword supporting
> ICredentialChecker implementation.)
> Python PAM binding using Ctypes
> More Python PAM bindings
> The IDirectoryService interfaces
> It looks like you'll need to override
> IDirectoryRecord.verifyCredentials on the DirectoryRecord
> implementation for the service you'd like to use (xmlfile or sqldb
> should both be possible.)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the calendarserver-users