[Freeipa-users] Migrating from custom auth system
Alexander Bokovoy
abokovoy at redhat.com
Thu Jul 9 14:55:05 UTC 2015
On Thu, 09 Jul 2015, Nicola Canepa wrote:
>If I enable the PAM plugin of 389-ds, I'm able to let users be
>authenticated by PAM, even if the user is not present il LDAP, hence
>the plain-text password is passed to PAM.
>The only missing step is: if PAM correctly authenticates a
>non-existing user, it should be created (using the just supplied
>password).
I have feeling you are overcomplicating things for yourself.
You don't need PAM plugin of 389-ds to be enabled or used with FreeIPA.
All you need is to create your users in IPA, assign them some temporary
passwords, let them visit https://ipa.example.com/ipa/ui/reset_password.html,
set up your web app to authenticate via PAM like
http://www.freeipa.org/page/Web_App_Authentication explains, and you are
done.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list