Any C coders want to help me with something?

Mike McGrath mmcgrath at redhat.com
Wed Apr 29 18:03:03 UTC 2009 

On Thu, 30 Apr 2009, Basil Mohamed Gohar wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/30/2009 12:52 AM, Mike McGrath wrote:
> > On Wed, 29 Apr 2009, Stephen John Smoogen wrote:
> >
> >> On Wed, Apr 29, 2009 at 8:27 AM, Mike McGrath <mmcgrath at redhat.com> wrote:
> >>> On Wed, 29 Apr 2009, Stefan Schlesinger wrote:
> >>>
> >>>> On Apr 29, 2009, at 01:38 , Mike McGrath wrote:
> >>>>> I'd like someone to write a pam module to auth against fas.  I'm not sure
> >>>>> it's the way to go but I'd like to have something up and running to test
> >>>>> with to see how it behaves, how it deals with some failure scenarios, etc.
> >>>> I'm not sure what exactly you want to do, but pam_ldap should do what
> >>>> you want, right? Or at least one could use it as codebase and modify it.
> >>>>
> >>> pam_ldap would probably be close to what we want and certainly a good
> >>> place to look but we don't run an ldap server so it won't auth against
> >>> fas.
> >>>
> >> Well normally what I have seen is that the 'FAS' server would export a
> >> schema table to LDAP and LDAP would then be what is authenticated to
> >> (the same with Kerberos if combined). Or the FAS server has a
> >> mysql/postgres background and someone uses pam/mod mysql to do it.
> >>
> >> The one problem with custom pam modules is usually the 'oooooooh'
> >> moment when something doesn't work quite as planned (hey look I can
> >> sudo root as apache? how did that happen?)
> >>
> >
> > This is a legit and good concern.  Ricky and I were talking about it last
> > night.  Since we're re-thinking things I'm open to suggestions.  Might be
> > something as simple as getting an ldap server to communicate with a
> > postgres backend?
> >
> > 	-Mike
> Sorry for butting in like this, but I always assumed FAS would use LDAP
> as a backend, so that 3rd parties, if they wanted to plug in to the
> system, would utilize LDAP.  Is that not the case?
>

Correct, that's not the case.  Instead of LDAP we have a postgres backend
and use json to auth, third parties use python-fedora to authenticate.  We
tried pretty hard to get LDAP working with our account system but ran into
many problems and decided to go back to postgres.

	-Mike

More information about the Fedora-infrastructure-list mailing list