On Wed, 17 Jun 2015, Henry Hofmann wrote:
For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You
don't need to include the user which runs redmine into shadow group
with FreeIPA because user accounts are never in > /etc/shadow for
FreeIPA so you don't need that access.

What you mean with " You don't need to include the user which runs
Redmine into shadow group with FreeIPA because user accounts are never
in > /etc/shadow for FreeIPA so you don't need that access ".  Normally
The redmine_pam_auth solution runs authentication process with the help
of PAM modules. PAM modules need to access the data they would be using
to check the passwords. In a classical setup with redmine_pam_auth, that
would be having access to /etc/shadow file which is limited on most
systems. On Fedora, for example, only root can access it so PAM module
that checks the passwords via /etc/shadow would need to be run with root
privileges. In other distributions situation may be different and
'shadow' group membership may be used to limit access to /etc/shadow.

When using pam_sss, one doesn't need to access /etc/shadow at all, thus
my suggestion.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to