We have a GUI-based computer program that drives an external device/machine. By default our software only displays limited information on that external device.
However, when a power user (group defined in /etc) identifies himself by entering their credentials through our software GUI, our software then checks those credentials against /etc/shadow using crypt() and getspnam() and, if succesful, provides extra functions for configuring our external device/machine.
Actually, our software runs on several networked computers and our users, which are all local (defined in /etc), are duplicated on each computer. This is not ideal and we would rather like to have all users managed by IPA in a central place (dedicated computer as the IPA server) with our software running in IPA clients. Therefore, our software won't be able to check users' credentials using the local /etc/shadow file anymore.
Basically, we would need to be able to query IPA programmatically (C language - or at least a shell script) to check that a username+password is correct.
How can we process? Thanks
On 3/28/22 19:08, Roger Seguin wrote:
We have a GUI-based computer program that drives an external device/machine. By default our software only displays limited information on that external device.
However, when a power user (group defined in /etc) identifies himself by entering their credentials through our software GUI, our software then checks those credentials against /etc/shadow using crypt() and getspnam() and, if succesful, provides extra functions for configuring our external device/machine.
Actually, our software runs on several networked computers and our users, which are all local (defined in /etc), are duplicated on each computer. This is not ideal and we would rather like to have all users managed by IPA in a central place (dedicated computer as the IPA server) with our software running in IPA clients. Therefore, our software won't be able to check users' credentials using the local /etc/shadow file anymore.
Basically, we would need to be able to query IPA programmatically (C language - or at least a shell script) to check that a username+password is correct.
You do an LDAP bind using the username and password. If it's successful, then the combination is valid.
You could also look to see how sssd does it.
On Mar 29, 2022, at 03:08, Samuel Sieb samuel@sieb.net wrote:
You do an LDAP bind using the username and password. If it's successful, then the combination is valid.
If this is IPA, using the Kerberos libraries is significantly more secure than binding to LDAP.
— Jonathan Billings
On Mar 28, 2022, at 22:08, Roger Seguin rgrsgn@gmail.com wrote:
Actually, our software runs on several networked computers and our users, which are all local (defined in /etc), are duplicated on each computer. This is not ideal and we would rather like to have all users managed by IPA in a central place (dedicated computer as the IPA server) with our software running in IPA clients. Therefore, our software won't be able to check users' credentials using the local /etc/shadow file anymore.
Rather than looking at /etc/shadow you should be using PAM, and that way you could seamlessly migrate to IPA.
http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_ADG.html
— Jonathan Billings
-
Jonathan Billings -
Roger Seguin -
Samuel Sieb