[Freeipa-users] Migrating from custom auth system
Rich Megginson
rmeggins at redhat.com
Thu Jul 9 14:39:11 UTC 2015
On 07/09/2015 08:36 AM, Nicola Canepa wrote:
> If I enable the PAM plugin of 389-ds, I'm able to let users be
> authenticated by PAM, even if the user is not present il LDAP, hence
> the plain-text password is passed to PAM.
> The only missing step is: if PAM correctly authenticates a
> non-existing user, it should be created (using the just supplied
> password).
The 389-ds PAM passthrough auth plugin can't add users. You would have
to add some additional functionality to either PAM, or another 389-ds
plugin.
>
> Nicola
>
> Il 09/07/15 15:20, Alexander Bokovoy ha scritto:
>> On Thu, 09 Jul 2015, Nicola Canepa wrote:
>>> Thank you Alexander.
>>> If the previous password is not used, I could set an impossible-hash
>>> password (such as "{crypt}*") and let users login authenticating
>>> trhough PAM?
>> How would you authenticate then? Remember that it is the hash in
>> userPassword attribute that is used for actual authentication. If
>> password-handling plugin cannot calculate to the same hash based on the
>> plain-text password it was supplied via LDAP bind, how would user
>> successfully authenticate?
>>
>> If you migrate this way, you need password hashes, at least.
>> If you are going to issue users with new passwords, just create all of
>> them in IPA with these new passwords and ask them to login, at least
>> once, to IPA self-service.
>>
>>> Or I could put the "user-add" in the pam_exec script (but only if
>>> the user does not already exists).
>> I don't think is is sufficiently good, at least I wouldn't do it this
>> way.
>>
>
More information about the Freeipa-users
mailing list