On 07/09/2015 08:36 AM, Nicola Canepa wrote:
If I enable the PAM plugin of 389-ds, I'm able to let users be authenticated by PAM, even if the user is not present il LDAP, hence the plain-text password is passed to PAM. The only missing step is: if PAM correctly authenticates a non-existing user, it should be created (using the just supplied password).


The 389-ds PAM passthrough auth plugin can't add users. You would have to add some additional functionality to either PAM, or another 389-ds plugin.


Nicola

Il 09/07/15 15:20, Alexander Bokovoy ha scritto:
On Thu, 09 Jul 2015, Nicola Canepa wrote:
Thank you Alexander.
If the previous password is not used, I could set an impossible-hash password (such as "{crypt}*") and let users login authenticating trhough PAM?
How would you authenticate then? Remember that it is the hash in
userPassword attribute that is used for actual authentication. If
password-handling plugin cannot calculate to the same hash based on the
plain-text password it was supplied via LDAP bind, how would user
successfully authenticate?

If you migrate this way, you need password hashes, at least.
If you are going to issue users with new passwords, just create all of
them in IPA with these new passwords and ask them to login, at least
once, to IPA self-service.

Or I could put the "user-add" in the pam_exec script (but only if the user does not already exists).
I don't think is is sufficiently good, at least I wouldn't do it this
way.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to