Re: [ilugd] Virtual users mapped to system users

2011-05-23 Thread Raj Mathur (राज माथुर) 
On Saturday 21 May 2011, Raj Mathur (राज माथुर) wrote:
 Yeah, I was also looking around for a command-line tool that will
 allow me to test authentication against PAM.  Neither of the two
 tools I could find on the 'net (pamck and pamauth) seem to be easily
 available, keeping on looking.

For the record...

Looks like testsaslauthd which ships with Cyrus-SASL lets one check user 
ID and password from the command-line.

Regards,

-- Raj
-- 
Raj Mathurr...@kandalaya.org  http://kandalaya.org/
   GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
PsyTrance  Chill: http://schizoid.in/   ||   It is the mind that moves

___
Ilugd mailing list
Ilugd@lists.linux-delhi.org
http://frodo.hserus.net/mailman/listinfo/ilugd

Re: [ilugd] Virtual users mapped to system users

2011-05-21 Thread Raj Mathur (राज माथुर) 
On Saturday 21 May 2011, Varad Gupta wrote:
 Pls see =
 http://permalink.gmane.org/gmane.mail.imap.courier.general/27589
 
 You can replace the SQL statements with grep/awk on /etc/passwd
 
 These and other similar lines will need to be replaced =
 
 SQL=($(dosql SELECT uid,pw,mpath,mquota FROM passwd WHERE
 uid='$ID'))
 
 
 SQL=($(dosql SELECT uid,pw,mpath,mquota FROM passwd WHERE uid='$ID'
 AND pw='$PW'))
 
 To test if the passwd is correct (auth is OK), you can  use the
 openssl command to generate an md5 hash and match with /etc/shadow
 (here i am assuming you script will run as root and can read
 /etc/shadow). There might be other ways to do this, but this one
 struck me easily.

Yeah, I was also looking around for a command-line tool that will allow 
me to test authentication against PAM.  Neither of the two tools I could 
find on the 'net (pamck and pamauth) seem to be easily available, 
keeping on looking.

As a last resort one could use direct auth against {passwd,shadow}, but 
that would be absolutely the last resort.  I'd rather make a Perl PAM 
script that does that before going into grep  co!

Regards,

-- Raj
-- 
Raj Mathurr...@kandalaya.org  http://kandalaya.org/
   GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
PsyTrance  Chill: http://schizoid.in/   ||   It is the mind that moves

___
Ilugd mailing list
Ilugd@lists.linux-delhi.org
http://frodo.hserus.net/mailman/listinfo/ilugd

Re: [ilugd] Virtual users mapped to system users

2011-05-21 Thread Abhishek Kumar 

Hi Raj,
 
why do you want to use /etc/password. use some enterprise directory to 
authenticate against.
 
For an enterprise if it is large (or grows to lare enterprise ) having 
/etc/password replicated everywhere and in sync would be calling for trouble.
 
use PAM + Openldap for directory and any authentication server(preferably 
kerberos or SAML based ) to authenticate. this would also help in lot of 
povisoning scenarions.
 
cheers,
abhishek
 
 From: r...@linux-delhi.org
 To: il...@frodo.hserus.net
 Date: Sat, 21 May 2011 12:30:43 +0530
 Subject: Re: [ilugd] Virtual users mapped to system users
 
 On Saturday 21 May 2011, Varad Gupta wrote:
  Pls see =
  http://permalink.gmane.org/gmane.mail.imap.courier.general/27589
  
  You can replace the SQL statements with grep/awk on /etc/passwd
  
  These and other similar lines will need to be replaced =
  
  SQL=($(dosql SELECT uid,pw,mpath,mquota FROM passwd WHERE
  uid='$ID'))
  
  
  SQL=($(dosql SELECT uid,pw,mpath,mquota FROM passwd WHERE uid='$ID'
  AND pw='$PW'))
  
  To test if the passwd is correct (auth is OK), you can use the
  openssl command to generate an md5 hash and match with /etc/shadow
  (here i am assuming you script will run as root and can read
  /etc/shadow). There might be other ways to do this, but this one
  struck me easily.
 
 Yeah, I was also looking around for a command-line tool that will allow 
 me to test authentication against PAM. Neither of the two tools I could 
 find on the 'net (pamck and pamauth) seem to be easily available, 
 keeping on looking.
 
 As a last resort one could use direct auth against {passwd,shadow}, but 
 that would be absolutely the last resort. I'd rather make a Perl PAM 
 script that does that before going into grep  co!
 
 Regards,
 
 -- Raj
 -- 
 Raj Mathur r...@kandalaya.org http://kandalaya.org/
 GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F
 PsyTrance  Chill: http://schizoid.in/ || It is the mind that moves
 
 ___
 Ilugd mailing list
 Ilugd@lists.linux-delhi.org
 http://frodo.hserus.net/mailman/listinfo/ilugd
  
___
Ilugd mailing list
Ilugd@lists.linux-delhi.org
http://frodo.hserus.net/mailman/listinfo/ilugd

Re: [ilugd] Virtual users mapped to system users

2011-05-21 Thread Raj Mathur (राज माथुर) 
On Sunday 22 May 2011, Abhishek Kumar wrote:
 why do you want to use /etc/password. use some enterprise directory
 to authenticate against.
 
 For an enterprise if it is large (or grows to lare enterprise )
 having /etc/password replicated everywhere and in sync would be
 calling for trouble.
 
 use PAM + Openldap for directory and any authentication
 server(preferably kerberos or SAML based ) to authenticate. this
 would also help in lot of povisoning scenarions.

In very simple terms, (a) I'm not being paid enough to implement 
enterprise authentication, and (b) the organisation doesn't want it.

Regards,

-- Raj
-- 
Raj Mathurr...@kandalaya.org  http://kandalaya.org/
   GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
PsyTrance  Chill: http://schizoid.in/   ||   It is the mind that moves

___
Ilugd mailing list
Ilugd@lists.linux-delhi.org
http://frodo.hserus.net/mailman/listinfo/ilugd

Re: [ilugd] Virtual users mapped to system users

2011-05-21 Thread Raj Mathur (राज माथुर) 
On Saturday 21 May 2011, Varad Gupta wrote:
  I'm trying to set up an IMAP server for virtual users with the
  following characteristics:
  - Server is handling multiple mail domains, say foo.com and
  bar.com.
  
  - Mail for x...@foo.com gets delivered to system user x.foo.com; mail
  for x...@bar.com gets delivered to system user x.bar.com.
  
  Now is it possible to have an IMAP server handle logins of the form
  x...@foo.com and x...@bar.com and authenticate them against the
  corresponding system users x.foo.com and x.bar.com?  A
  non-database solution would be preferred.

So I finally solved the problem by automagically creating Courier user 
x...@foo.com and system user x.foo.com when required.  This is achieved 
through a set of 4 Webmin Custom Command scripts which I'll be releasing 
under the GPL.  The scripts are:

1. Create user (automatically creates system and Courier users)
2. Change password (automatically changes system and Courier passwords)
3. Show users in domain
4. Delete user (from both system and Courier)

It's a bit of a hack, but it takes the user mapping process out of 
runtime and into user creation time, which seems preferable.

Regards,

-- Raj
-- 
Raj Mathurr...@kandalaya.org  http://kandalaya.org/
   GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
PsyTrance  Chill: http://schizoid.in/   ||   It is the mind that moves

___
Ilugd mailing list
Ilugd@lists.linux-delhi.org
http://frodo.hserus.net/mailman/listinfo/ilugd