[Freeipa-users] Migrating from custom auth system

Nicola Canepa canepa.n at mmfg.it
Thu Jul 9 14:36:10 UTC 2015 

If I enable the PAM plugin of 389-ds, I'm able to let users be 
authenticated by PAM, even if the user is not present il LDAP, hence the 
plain-text password is passed to PAM.
The only missing step is: if PAM correctly authenticates a non-existing 
user, it should be created (using the just supplied password).

Nicola

Il 09/07/15 15:20, Alexander Bokovoy ha scritto:
> On Thu, 09 Jul 2015, Nicola Canepa wrote:
>> Thank you Alexander.
>> If the previous password is not used, I could set an impossible-hash 
>> password (such as "{crypt}*") and let users login authenticating 
>> trhough PAM?
> How would you authenticate then? Remember that it is the hash in
> userPassword attribute that is used for actual authentication. If
> password-handling plugin cannot calculate to the same hash based on the
> plain-text password it was supplied via LDAP bind, how would user
> successfully authenticate?
>
> If you migrate this way, you need password hashes, at least.
> If you are going to issue users with new passwords, just create all of
> them in IPA with these new passwords and ask them to login, at least
> once, to IPA self-service.
>
>> Or I could put the "user-add" in the pam_exec script (but only if the 
>> user does not already exists).
> I don't think is is sufficiently good, at least I wouldn't do it this
> way.
>

-- 

Nicola Canepa
Tel: +39-0522-399-3474
canepa.n at mmfg.it
---
Il contenuto della presente comunicazione è riservato e destinato esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona diversa dal destinatario sono proibite la diffusione, la distribuzione e la copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati contenuti. La presente comunicazione (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la presente non sia seguita da contratto sottoscritto dalle parti.

The content of the above communication is strictly confidential and reserved solely for the referred addressees. In the event of receipt by persons different from the addressee, copying, alteration and distribution are forbidden. If received by mistake we ask you to inform us and to destroy and/or delete from your computer without using the data herein contained. The present message (eventual annexes inclusive) shall not be considered a contractual proposal and/or acceptance of offer from the addressee, nor waiver recognizance of rights, debts  and/or credits, nor shall it be binding when not executed as a subsequent agreement by persons who could lawfully represent us. No pre-contractual liability shall apply to us when the present communication is not followed by any binding agreement between the parties.

More information about the Freeipa-users mailing list