Any C coders want to help me with something?

Axel Thimm Axel.Thimm at
Wed Apr 29 18:47:21 UTC 2009

On Wed, Apr 29, 2009 at 01:03:03PM -0500, Mike McGrath wrote:
> > >> Well normally what I have seen is that the 'FAS' server would export a
> > >> schema table to LDAP and LDAP would then be what is authenticated to
> > >> (the same with Kerberos if combined). Or the FAS server has a
> > >> mysql/postgres background and someone uses pam/mod mysql to do it.

> > Sorry for butting in like this, but I always assumed FAS would use LDAP
> > as a backend, so that 3rd parties, if they wanted to plug in to the
> > system, would utilize LDAP.  Is that not the case?
> Correct, that's not the case.  Instead of LDAP we have a postgres backend
> and use json to auth, third parties use python-fedora to authenticate.  We
> tried pretty hard to get LDAP working with our account system but ran into
> many problems and decided to go back to postgres.

I'd third the LDAP love here, e.g. either a read-only cron'd export to
LDAP or rewriting the FAS backend for LDAP. Any future tool you may
want to attach to FAS will most probably have LDAP support out of the
box, but any other kind of authentication would need special coding
(like your pam module request), which is both time consuming and a
security risk if not written properly.
Axel.Thimm at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <>

More information about the Fedora-infrastructure-list mailing list