Can I set the user to authenticate as?
Tomas Mraz
tmraz at redhat.com
Tue Jan 8 18:45:53 UTC 2013
On Fri, 2013-01-04 at 16:13 -0800, Dylan Martin wrote:
> Hi all, thanks for reading.
>
> I'm trying to set up authentication against a remote imap server that
> I don't run. I've got pam_imap working, so everything is fine as long
> as the username on my box is the same as the username on imap server.
> I'd like to somehow make it possible for someone to log in as a
> different name than is submitted to the imap server. The fact that
> I'm using imap really shouldn't matter.
>
> I run a web server for a community college. We have an email server
> run by the district. I work at one of the campuses. I have zero
> control over the email server at district. I want to authenticate
> users on my web server with their imap accounts (because I hate
> resetting passwords). Unfortunately, most web server account names
> are different from the imap account names. For example 'english' or
> 'lab' might be reasonable account names on my web server but that web
> account will be managed by a human with an email account (and IMAP
> username) like 'jdoe'.
>
> What I need is for someone to log in as 'lab' with a password and have
> PAM ask the IMAP server to authenticate jdoe, and if that succeeds,
> let them log in as 'lab'.
> That means pam would somehow have to know to translate 'lab' into
> 'jdoe' for the conversation with the IMAP server and NOT then try to
> log the user in as 'jdoe' on the web server if the IMAP authentication
> succeeded.
>
> With pam's flow-through-the-stack nature, I thought there might be a
> module that would change the user name for authentication purposes.
> Like this maybe:
>
> auth required pam_localuser.so
> auth required pam_map_user.so file=/etc/usermap
> auth requisite pam_imap.so
>
> I've actually done this before by hacking a module to both map a local
> user to a remote username AND perform the authentication check. It
> seems odd to me that I'd need to combine those steps.
>
> Is there a better way to handle this problem?
You can put the mapping module after the pam_imap.so to set the PAM_USER
back to the original value which you can save with pam_set_data().
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Pam-list
mailing list