[389-users] Re: Password lookup to AD
Rich Megginson
rmeggins at redhat.com
Tue Jul 14 15:21:10 UTC 2009
Prashanth Sundaram wrote:
> Thank you Rich,
>
> “so if you have some PAM module that can auth against AD (except LDAP
> which probably won't work) you can configure PAM passthrough to pass
> the auth to that PAM module, then to AD”
>
> Are you implying, the FDS will go out of picture with PAM? I mean, can
> I still use FDS to check the uid attribute and then pass it to PAM?
> I am sorry, but I am not getting the flow clearly.
The flow with login will typically go like this:
user types in username + password
client does a search for uid=username - gets back the users full DN
client does a BIND request with full BIND DN + password
DS PAM passthrough intercepts the bind request - uses the rule to
extract the PAM userid from the BIND DN or user's entry (default will
use the value of the uid=userid from the BIND DN) - PAM passthrough
plugin passes the auth userid and password to PAM (assumes properly
configured PAM stack for use by DS) - PAM passthrough plugin will accept
or reject the BIND request based on the PAM auth results - the plugin
can optionally continue the BIND to use regular DS authentication if the
PAM auth failed
So the real problem here is figuring out what type of PAM stack to use
to authenticate to AD - note that pam_ldap will likely not work because
that would load the openldap libraries into the DS process which will
conflict with the mozldap libraries used by DS - so something else,
perhaps winbind? I just don't know
>
> Can you type in rough, how the flow goes? (Hopefully someone might
> come this way and find this helpful)
>
>
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20090714/07319973/attachment.bin>
More information about the 389-users
mailing list