[Fedora-directory-users] PAM passthru questions and SecureID

[Richard Megginson]

Chris Maresca wrote:
> All,
>
> I've been looking longingly at the PAM pass-through module as it would 
> give us access to capabilities we've wanted for a while.  I've looked 
> at the README, but I still have a few questions.
>
> 1. Is it possible to specify PAM as the authentication on a 
> per-account basis?
No.
> 2. Is it possible to specify authentication escalation on failure on a 
> per account basis?
No.

But these do seem like very interesting features - how would this work?  
via a special attribute in the user's entry?
>
> 3. Has anyone deployed it in a production environment?
>     If so, what type(s) of PAM auth did you use?
Yes.  We developed this and use this internally at Red Hat (dogfood, 
yum).  We use it because we use Kerberos for internal authentication, 
but some older LDAP clients can't do SASL, so they do simple auth, and 
pass the credentials through to Kerberos via PAM.
>
> Also, if anyone has any successful examples of using two-factor 
> authentication tokens (specifically either SecureID or CryptoCard, but 
> also others), I would love to hear about them.  It seems that none of 
> the vendors providing token-based support LDAP as a primary user info 
> repository directly, which is odd, to say the least.
We used to do this at AOL.  We had a proprietary plugin for this 
purpose.  The password was passed as "password/securidtoken".  The 
plug-in parsed out the password and the token and passed them off to our 
proprietary auth thingy.
> I'd like to add that compared to OpenLDAP, Fedora DS is a breath of 
> fresh air.  Thanks for making it available.
>
> Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20061108/d7c5ff87/attachment.bin>