The goal of Project RENO [0] is to facilitate interoperability with
Active Directory (see project WINCHESTER [1]), as well as with any
directory that requires "self-credentialed" lookups [2] for information
relevant to the login process, and the DCE model of distributing such
information with authentication tokens.
Project RENO involves a revamp of the Solaris login infrastructure,
specifically:
- providing a link between network authentication frameworks and PAM,
and
- providing a "subject" object output from PAM by which PAM modules may
describe Unix user accounts.
Support for use of these facilities by Solaris PAM modules and Solaris
PAM applications in the ON consolidation is included. Backwards
compatibility is preserved for all PAM applications in environments
where they currently function properly.
Initially only network authentication through the GSS-API will be linked
into PAM. PAM items will be added by which applications may pass
GSS-API mechanism OID, remote principal name and delegated credential
objects to PAM modules.
Closely related to project RENO is Per-User PAM Configuration [3] which
allows for canned PAM configurations to be selected according to user's
user_attr(4) entries, with defaults provided by profiles listed in
policy.conf(4).
The initial leaders of this project would be:
Nicolas Williams
Doug Leavitt
Baban Kenkre
[0] PSARC 2005/717.
[1] http://www.opensolaris.org/jive/thread.jspa?threadID=7551&tstart=0
[2] "Self-credentialed directory lookups" are those which require the
use of user authentication credentials rather than host ("proxy")
credentials.
[3] PSARC 2005/275, an RFE that pre-dated RENO but which RENO depends on.
This message posted from opensolaris.org
_______________________________________________
opensolaris-discuss mailing list
[email protected]
