Yes, that is what I thought. I, and I think many many others, would like to use PAM for just the authentication piece, and then fall on another directory service (XML) to do the provisioning.
On Jan 10, 2008 5:43 PM, David Reid <[EMAIL PROTECTED]> wrote: > Hi Stephen, > > On Jan 10, 2008, at 1:10 PM, Stephen Bowman wrote: > > > Has anyone looked into implementing a Directory Service for PAM (or > > system) authentication? For apache authorization, I typically use > > pwauth (which works quite well), and I noticed that there are Apache > > Directory Services, but it's not possible (as far as I can tell) to > > leverage pwauth with these. To configure pwauth, the magic occurs > > in httpd.conf pointing at pwauth - there really is no htpasswd file. > > It is definitely possible to use PAM for authentication, there are PAM > bindings for Python, and there is a recent Twisted ticket about adding > the necessary implementation for verifying credentials. ( > http://twistedmatrix.com/trac/ticket/2970 > ) However the IDirectoryService API also handles provisioning, > which I don't think PAM exposes. > > It may however be perfectly acceptable to create a directory service > that uses PAM for authentication and either the XML or SQL > IDirectoryService for provisioning. > > Now work has been done in this area however, Apple doesn't use PAM > very heavily. But here are some pointers in case someone on the list > is interested in contributing. > > Twisted Cred > http://twistedmatrix.com/projects/core/documentation/howto/cred.html > > (We basically need a new IUsernamePassword supporting > ICredentialChecker implementation.) > > Python PAM binding using Ctypes > http://pypi.python.org/pypi/pam/0.1.2 > > More Python PAM bindings > http://pypi.python.org/pypi/spypam/1.0 > > The IDirectoryService interfaces > > http://trac.macosforge.org/projects/calendarserver/browser/CalendarServer/trunk/twistedcaldav/directory/idirectory.py > > It looks like you'll need to override > IDirectoryRecord.verifyCredentials on the DirectoryRecord > implementation for the service you'd like to use (xmlfile or sqldb > should both be possible.) > > -David >
_______________________________________________ calendarserver-users mailing list calendarserver-users@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo/calendarserver-users
