[Freeipa-users] Migrating from custom auth system

[Rich Megginson]

On 07/09/2015 08:36 AM, Nicola Canepa wrote:
> If I enable the PAM plugin of 389-ds, I'm able to let users be 
> authenticated by PAM, even if the user is not present il LDAP, hence 
> the plain-text password is passed to PAM.
> The only missing step is: if PAM correctly authenticates a 
> non-existing user, it should be created (using the just supplied 
> password).

The 389-ds PAM passthrough auth plugin can't add users.  You would have 
to add some additional functionality to either PAM, or another 389-ds 
plugin.

>
> Nicola
>
> Il 09/07/15 15:20, Alexander Bokovoy ha scritto:
>> On Thu, 09 Jul 2015, Nicola Canepa wrote:
>>> Thank you Alexander.
>>> If the previous password is not used, I could set an impossible-hash 
>>> password (such as "{crypt}*") and let users login authenticating 
>>> trhough PAM?
>> How would you authenticate then? Remember that it is the hash in
>> userPassword attribute that is used for actual authentication. If
>> password-handling plugin cannot calculate to the same hash based on the
>> plain-text password it was supplied via LDAP bind, how would user
>> successfully authenticate?
>>
>> If you migrate this way, you need password hashes, at least.
>> If you are going to issue users with new passwords, just create all of
>> them in IPA with these new passwords and ask them to login, at least
>> once, to IPA self-service.
>>
>>> Or I could put the "user-add" in the pam_exec script (but only if 
>>> the user does not already exists).
>> I don't think is is sufficiently good, at least I wouldn't do it this
>> way.
>>
>