Jason Gerfen wrote:
> I just have a few questions, comments & suggestions regarding the 
> pam_fprint module.
> 
> After taking a brief look through the pam_fprint.c source I do not see 
> anything in regards to uid/gid mapping for the valid authentication 
> based on the image of a scanned fingerprint.

Sorry for being thick, but what exactly do you mean by uid/gid mapping 
and why is it useful?

Existing system doesn't have any problems identifying the user. PAM 
identifies which user is trying to log in.

> Is this something that you intend to keep? From a Unix/Linux standpoint 
> I can see how this might somewhat limit the security of the 
> authentication process unless you rely on something such as pam_unix 
> within your authentication stack.


> First I would like to propose the including of a simple getpw to assist 
> in the authentication of enrolled finger print authenticated users (I 
> can see the use of a getpwnam call but suggest further mapping of user 
> accounts to enrolled fingerprint users. Might also help with homedir 
> hack you have implemented because you could initialize it from the local 
> account *OR when I am finished from a struct provided by OpenLDAP/Active 
> Directory or MySQL entries).
> 
> Something utilizing getpwuid:
> ** Example ripped from the pam_krb5afs.c source
> #ifdef HAVE___POSIX_GETPWNAM_R
> /* Function for determining a user's UID and primary GID. Solaris 
> version. */
> /* Currently not used. We define instead the _POSIX_PTHREAD_SEMANTICS 
>       macro */
> static int
> get_pw(const char *user, uid_t *uid, gid_t *gid)
> {
>   static struct passwd rec;
>   struct passwd *pwd = NULL;
>   char buf[LINE_MAX];
>   memset(&rec, 0, sizeof(rec));
>   if (__posix_getpwnam_r(user, &rec, buf, sizeof(buf), &pwd) == 0) {
>    if (pwd == &rec) {
>     *uid = pwd->pw_uid;
>     *gid = pwd->pw_gid;
>     return TRUE;
>     }
>    }
>   return FALSE;
> }
> #elif HAVE_GETPWNAM_R
> /* Function for determining a user's UID and primary GID. glibc and most
>   * other systems version. */
> static int
> get_pw(const char *user, uid_t *uid, gid_t *gid)
> {
>   static struct passwd rec;
>   struct passwd *pwd = NULL;
>   static char buf[LINE_MAX];
>   memset(&rec, 0, sizeof(rec));
>   if (getpwnam_r(user, &rec, buf, sizeof(buf), &pwd) == 0) {
>   if (pwd == &rec) {
>    *uid = pwd->pw_uid;
>    *gid = pwd->pw_gid;
>    return TRUE;
>    }
>   }
>   return FALSE;
> }
> #else
> /* Really-old systems version. */
> static int
> get_pw(const char *user, uid_t *uid, gid_t *gid)
> {
>   struct passwd *pwd;
>   pwd = getpwnam(user);
>   if (pwd != NULL) {
>    *uid = pwd->pw_uid;
>    *gid = pwd->pw_gid;
>    return TRUE;
>    }
>    return FALSE;
> }
> #endif
> 
> Second I have spoken with you before in regards to adding support for 
> OpenLDAP/Active Directory (RFC2307) as well as MySQL support for 
> centralized authentication. I believe I am now ready to begin adding 
> this support into the existing pam_fprint module, and need to know how 
> updated the API documentation is.
> 
> Third, after doing some investigation of Active Directory it is possible 
> to implement a photo binary schema attribute for all users following the 
> guide http://msdn.microsoft.com/en-us/library/ms953636.aspx shown here.
> For OpenLDAP I have found the following: 
> http://www.openldap.org/doc/admin24/schema.html (Section 12.2.4.2 
> x-my-Photo)
> 
> And an RFC regarding this schema attribute: 
> http://www.rfc-editor.org/rfc/rfc2798.txt
> 
> MySQL has the blob field type to handle binary data such as photo's. One 
> thing I would like to do with this is to ensure we have 'all' account 
> data available so local accounts on a Unix/Linux system is not needed. 
> Much like a roaming profile, an example of a MySQL database table to 
> manage this would be something like:
> 
> CREATE TABLE IF NOT EXISTS `fprint_users` (
>    `id` int(255) NOT NULL auto_increment,
>    `username` varchar(255) NOT NULL,
>    `enrolled_fprint` blob NOT NULL,
>    `uid` int(255) NOT NULL,
>    `gid` int(255) NOT NULL,
>    `shell` varchar(80) NOT NULL,
>    `homedir` varchar(80) NOT NULL,
>    `time` time NOT NULL,
>    `date` date NOT NULL,
>    PRIMARY KEY  (`id`)
> ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
> 
> And for OpenLDAP/Active Directory the following schema attributes are 
> available for our use in a centralized authentication addition to your 
> pam_fprint module:
> 
> cn (common name, username attribute)
> jpegPhoto (enrolled fingerprint as per RFC2798)
> gidNumber (GID for Unix/Linux users as per Active Directory. OpenLDAP 
> has this schema attribute by default)
> uidNumber (UID for Unix/Linux users as per Active Directory. OpenLDAP 
> has this schema attribute by default)
> loginShell (shell attribute)
> homeDirectory (as per Active Directory)
> mSSFUHomeDirectory (as per SFU Active Directory extension defined in 
> RFC2307 for Unix/Linux users. Again, OpenLDAP has this schema attribute 
> by default)
> 
> 
> In any event those are my questions, comments, suggestions and plans 
> unless you have something better in mind.
> 

_______________________________________________
fprint mailing list
[email protected]
http://lists.reactivated.net/mailman/listinfo/fprint

Reply via email to