On Thu, 09 Jul 2015, Nicola Canepa wrote:
If I enable the PAM plugin of 389-ds, I'm able to let users be
authenticated by PAM, even if the user is not present il LDAP, hence
the plain-text password is passed to PAM.
The only missing step is: if PAM correctly authenticates a
non-existing user, it should be created (using the just supplied
I have feeling you are overcomplicating things for yourself.
You don't need PAM plugin of 389-ds to be enabled or used with FreeIPA.
All you need is to create your users in IPA, assign them some temporary
passwords, let them visit https://ipa.example.com/ipa/ui/reset_password.html,
set up your web app to authenticate via PAM like
http://www.freeipa.org/page/Web_App_Authentication explains, and you are
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project