On Thu, 09 Jul 2015, Nicola Canepa wrote:
If I enable the PAM plugin of 389-ds, I'm able to let users be authenticated by PAM, even if the user is not present il LDAP, hence the plain-text password is passed to PAM. The only missing step is: if PAM correctly authenticates a non-existing user, it should be created (using the just supplied password).
I have feeling you are overcomplicating things for yourself.

You don't need PAM plugin of 389-ds to be enabled or used with FreeIPA.

All you need is to create your users in IPA, assign them some temporary
passwords, let them visit https://ipa.example.com/ipa/ui/reset_password.html,
set up your web app to authenticate via PAM like
http://www.freeipa.org/page/Web_App_Authentication explains, and you are

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to