Henri Bergius wrote:
> On Wed, 23 May 2001, Emiliano wrote:
>
>> It's not impossible, all we'd need is to have mod_midgard be
>> pam-enabled. The problems with this are twofold: one, managing users
>> within midgard would become very hard (since we can't simply get them
>> from the database as we do now), and two, I don't think PAM handles
>> domains (what we'd call sitegroups).
>
>
> We should be able to map person accounts in Midgard to
> PAM users by the username.
That's fragile, though. A change in username (granted, that's not too
common) would not propagate, and you'd have to create a new Midgard user
account whenever a new NT account is created.
> However, as you said, handling
> sitegroups would be difficult. I think the only solution
> here would be to allow only one sitegroup (SG0?) on the server
> to be PAM-authenticated, or disable overlapping usernames
> between SGs, which would cause problems with the SG concept.
Yes.
> Another solution would be to just dump periodically the
> whole PAM user account set into Midgard's person table.
That's better than manually synchronizing them, but it still doesn't
touch the domains (sitegroups and multidb) issue, and you can't get
passwords from PAM, only verify.
Emile
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
