Any C coders want to help me with something?
mmcgrath at redhat.com
Wed Apr 29 18:03:03 UTC 2009
On Thu, 30 Apr 2009, Basil Mohamed Gohar wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 04/30/2009 12:52 AM, Mike McGrath wrote:
> > On Wed, 29 Apr 2009, Stephen John Smoogen wrote:
> >> On Wed, Apr 29, 2009 at 8:27 AM, Mike McGrath <mmcgrath at redhat.com> wrote:
> >>> On Wed, 29 Apr 2009, Stefan Schlesinger wrote:
> >>>> On Apr 29, 2009, at 01:38 , Mike McGrath wrote:
> >>>>> I'd like someone to write a pam module to auth against fas. I'm not sure
> >>>>> it's the way to go but I'd like to have something up and running to test
> >>>>> with to see how it behaves, how it deals with some failure scenarios, etc.
> >>>> I'm not sure what exactly you want to do, but pam_ldap should do what
> >>>> you want, right? Or at least one could use it as codebase and modify it.
> >>> pam_ldap would probably be close to what we want and certainly a good
> >>> place to look but we don't run an ldap server so it won't auth against
> >>> fas.
> >> Well normally what I have seen is that the 'FAS' server would export a
> >> schema table to LDAP and LDAP would then be what is authenticated to
> >> (the same with Kerberos if combined). Or the FAS server has a
> >> mysql/postgres background and someone uses pam/mod mysql to do it.
> >> The one problem with custom pam modules is usually the 'oooooooh'
> >> moment when something doesn't work quite as planned (hey look I can
> >> sudo root as apache? how did that happen?)
> > This is a legit and good concern. Ricky and I were talking about it last
> > night. Since we're re-thinking things I'm open to suggestions. Might be
> > something as simple as getting an ldap server to communicate with a
> > postgres backend?
> > -Mike
> Sorry for butting in like this, but I always assumed FAS would use LDAP
> as a backend, so that 3rd parties, if they wanted to plug in to the
> system, would utilize LDAP. Is that not the case?
Correct, that's not the case. Instead of LDAP we have a postgres backend
and use json to auth, third parties use python-fedora to authenticate. We
tried pretty hard to get LDAP working with our account system but ran into
many problems and decided to go back to postgres.
More information about the Fedora-infrastructure-list