[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP for Mac OS X Login and Authentication

>Has PAM been ported to OS X?  If so, it's already easily accomplished. 
>Otherwise, it's extremely non-trivial.  Basically you have to replace
>the entire login mechanism.

Yes, we ported it 18 months ago. Apple are still in the process of
integrating it. You can check it out from Darwin though, you want
to get Libraries/Other/pam and then follow the instructions in NOTES.rtf.

You will also want to install OpenLDAP (I just imported 2.0.21 into
Services/ldap today) and the lukeh-OpenLDAP branch of lookupd to
get LDAPv3 support. Otherwise I'm told that the LDAPAgent in the
currently shipping version of OS X segfaults on startup :-(
A binary is available from ftp://ftp.padl.com/pub/lookupd.ADS.gz.

BTW, there _is_ another way, which is the way Apple want you to do
things -- use their DirectoryService framework, which is a Carbon
(OS 9/OS X) API for accessing directory services. I think it does
authentication but it only supports LDAPv2, and is not integrated
into /bin/login etc as we have done with PAM. However, we do provide
a shim between PAM and this in Libraries/Other/pam_modules, and
Apple provide a shim between it and lookupd with their DSAgent.

(lookupd agents are analogous to Nameservice Switch modules.)

All paths are relative to anoncvs.opensource.apple.com:/cvs/Darwin.

-- Luke
Luke Howard | lukehoward.com
PADL Software | www.padl.com