[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ITS#1362 userPassord:{PAM}



I don't speak for the OpenLDAP core team, but:

IMO overloading userPassword to contain pointers to an authentication
authority is bogus. Better to:

(a) use a separate attribute (like the authAuthority attribute Apple
    use in OS X) if users need to be directed to an authority on an
    individual basis

and/or

(b) use the SLAPI and/or SASL plugin mechanisms to add support for 
    PAM.

Indeed, we wrote a PAM plugin for Netscape's Directory Server years
ago that did exactly this; likely it would "just work" with OpenLDAP
(although we have no plans to try, nor to open source it).

-- Luke

>From: Paul Reilly <pareilly@tcd.ie>
>Subject: ITS#1362 userPassord:{PAM}
>To: openldap-devel@OpenLDAP.org
>Date: Wed, 30 Apr 2003 00:46:26 +0100 (IST)
>
>
>I was just looking around ITS with a view to getting my password
>mechanism that does passthru authentication to pam_smb/pam_winbind
>submitted. But I see there was a previous submission exactly along
>the same lines a year or so ago: ITS#1362
>
>Was there a problem with this patch which meant it wasn't committed?
>Of is the idea of having a new password mechanism of {PAM} which
>passes the bind request on to a PAM library not a runner? It works
>very well for me, where we have a PDC doing authentication, but
>posixAccount attributes in LDAP. I'm sure it would be of use to others
>too.
>
>Thanks
>Paul

--
Luke Howard | PADL Software Pty Ltd | www.padl.com