On Wed, 2011-08-03 at 15:40 +0100, Mark McLoughlin wrote:
Hi Dmitri,
On Fri, 2011-07-29 at 12:31 -0400, Dmitri Pal wrote:
On 07/29/2011 11:58 AM, Martyn Taylor wrote:
Identity
Goals
- support authentication against external LDAP
- provide authentication mechanism across aeolus components
Conversation Topics
* LDAP Support: * Conductor auth against LDAP with local DB Fallback * conductor first tries authenticate user against external LDAP
server. If user is found there, user account in local db is created (except credentials) if it doesn't exist yet. If user is not found in LDAP, local db is searched.
I wonder why reinvent the wheel. Can you use local pam stack for authentication
Using PAM is an interesting idea. It does make the app more complicated to install and configure, though. And makes it less portable. Also, I don't see much talk of Rails apps using PAM.
All that being said, though, it might be a good option for LDAP support assuming we retain the option of using Conductor's DB as an identity store.
Oh yes, as Simo pointed out, the other thing about PAM is that it doesn't get us kerberos support - it's not a magic bullet on that front.
Cheers, Mark.