On Thu, 09 Jul 2015, Nicola Canepa wrote:
If I enable the PAM plugin of 389-ds, I'm able to let users be
authenticated by PAM, even if the user is not present il LDAP, hence
the plain-text password is passed to PAM.
The only missing step is: if PAM correctly authenticates a
non-existing user, i
On 07/09/2015 08:36 AM, Nicola Canepa wrote:
If I enable the PAM plugin of 389-ds, I'm able to let users be
authenticated by PAM, even if the user is not present il LDAP, hence
the plain-text password is passed to PAM.
The only missing step is: if PAM correctly authenticates a
non-existing user
If I enable the PAM plugin of 389-ds, I'm able to let users be
authenticated by PAM, even if the user is not present il LDAP, hence the
plain-text password is passed to PAM.
The only missing step is: if PAM correctly authenticates a non-existing
user, it should be created (using the just supplie
On Thu, 09 Jul 2015, Nicola Canepa wrote:
Thank you Alexander.
If the previous password is not used, I could set an impossible-hash
password (such as "{crypt}*") and let users login authenticating
trhough PAM?
How would you authenticate then? Remember that it is the hash in
userPassword attrib
Thank you Alexander.
If the previous password is not used, I could set an impossible-hash
password (such as "{crypt}*") and let users login authenticating trhough
PAM?
Or I could put the "user-add" in the pam_exec script (but only if the
user does not already exists).
I'll test both ways.
Ni
On Thu, 09 Jul 2015, Nicola Canepa wrote:
OK, I'm sorry for the little information provided: I can't do
migrate-ds, since I'm not coming from a "DS" (which can only be
another LDAP server, I guess).
The only thing I can expect is that users will login to one of the
applicazions which I put unde
OK, I'm sorry for the little information provided: I can't do
migrate-ds, since I'm not coming from a "DS" (which can only be another
LDAP server, I guess).
The only thing I can expect is that users will login to one of the
applicazions which I put under FreeIPA authentication.
So I mixed the "N
Nicola,
perhaps it would help if you explain what did you mean by saying below
My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP
users not created by IPA.
When you enabled migration mode and actually migrated users with 'ipa
migrate-ds' command, you will have those users
I don't understand the question: aren't users created by IPA command
line the same as if they are created via the web GUI?
Nicola
Il 09/07/15 13:05, Jan Pazdziora ha scritto:
On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote:
Hello.
I was trying Freeipa as an addition and (maybe)
On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote:
> Hello.
> I was trying Freeipa as an addition and (maybe) future replacement for the
> current SSO solution (custom and only for web apps).
> I was able to authenticate (via pam_exec) LDAP users on the legacy system.
> My problem is wi
10 matches
Mail list logo