[Freeipa-users] Question for AD trust and Webservices
Alexander Bokovoy
abokovoy at redhat.com
Wed Jun 17 12:31:13 UTC 2015
On Wed, 17 Jun 2015, Henry Hofmann wrote:
>> For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You
>> don't need to include the user which runs redmine into shadow group
>> with FreeIPA because user accounts are never in > /etc/shadow for
>> FreeIPA so you don't need that access.
>>
>What you mean with " You don't need to include the user which runs
>Redmine into shadow group with FreeIPA because user accounts are never
>in > /etc/shadow for FreeIPA so you don't need that access ". Normally
The redmine_pam_auth solution runs authentication process with the help
of PAM modules. PAM modules need to access the data they would be using
to check the passwords. In a classical setup with redmine_pam_auth, that
would be having access to /etc/shadow file which is limited on most
systems. On Fedora, for example, only root can access it so PAM module
that checks the passwords via /etc/shadow would need to be run with root
privileges. In other distributions situation may be different and
'shadow' group membership may be used to limit access to /etc/shadow.
When using pam_sss, one doesn't need to access /etc/shadow at all, thus
my suggestion.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list