PAM has hooks for this; they work about as well as the rest of PAM.
In your opinion, how well is that?
I recommend that use nss groups as the source db of the authorization, and use pam_access for authorization.
As you can see, though, to fully function within this system, I'm in need of a PAM module that can essentially do "username conversion" as part of the authentication phase, because what a user supplies at the telnet prompt as their username may not be what their actual underlying identifier is on the system (and it may not be what is used as part of Kerberos 5 authentication, so the "username conversion" needs to happen *in* the authentication phase)
It's my understanding that the PAM API supports this feature (i.e. who you supply at a login prompt may be different from your underlying ID on the box), but most PAM modules don't bother to call whatever function it is that PAM has that does the username conversion. I'm not (yet) a PAM guru, though, so I could be wildly mistaken.
pam don't have such a function. The pam modules uses PAM_USER as username, and you can preset or alter PAM_USER from any app or from a pam module.
But it's true, that it is not a common usage.
One sollution may be, that you write a pam module which promt for the
username (it will get Tim.Mooney), then make a lookup in ldap and convert it to POSIX username (mooney) and store it as PAM_USER.
I saw such a module and with well written pam aware application it can work.
The main problem can be with it, that e.g the application will get the username itself, and store it internaly (independent from pam) and then try to use it as POSIX user name (e.g pam aware poppasswd).
That's why I believe I need a source-available pam_krb5 module for authentication, instead of going with something like SEAM's authentication module. If I'm wrong, I would love to hear about it.
No, the problems here are not with pam modules, they will simple use PAM_USER, and if you alter it with a preexistent pam module, then it works well. The problems are here with the application.
So even if you write your own pam_krb5, then you will have problems with apps (and Solaris have many broken pam aware application).
For the particular Solaris box in question, it's not currently doing the electronic ID to POSIX username conversion anyway, so it's not fully functioning as part of the Hurderos system right now.
I strongly recommend that dont use anywhere the "Hurderos IAA usernames".
Users that want to authenticate to that system are required to know and use their POSIX username.
Yes, but it will work. :)
Tim
balsa
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
