On Thu, 09 Jul 2015, Nicola Canepa wrote:
If I enable the PAM plugin of 389-ds, I'm able to let users be authenticated by PAM, even if the user is not present il LDAP, hence the plain-text password is passed to PAM. The only missing step is: if PAM correctly authenticates a non-existing user, it should be created (using the just supplied password).
I have feeling you are overcomplicating things for yourself.
You don't need PAM plugin of 389-ds to be enabled or used with FreeIPA. All you need is to create your users in IPA, assign them some temporary passwords, let them visit https://ipa.example.com/ipa/ui/reset_password.html, set up your web app to authenticate via PAM like http://www.freeipa.org/page/Web_App_Authentication explains, and you are done. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project