Re: [ilugd] Virtual users mapped to system users
On Saturday 21 May 2011, Raj Mathur (राज माथुर) wrote: Yeah, I was also looking around for a command-line tool that will allow me to test authentication against PAM. Neither of the two tools I could find on the 'net (pamck and pamauth) seem to be easily available, keeping on looking. For the record... Looks like testsaslauthd which ships with Cyrus-SASL lets one check user ID and password from the command-line. Regards, -- Raj -- Raj Mathurr...@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance Chill: http://schizoid.in/ || It is the mind that moves ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Virtual users mapped to system users
On Saturday 21 May 2011, Varad Gupta wrote: Pls see = http://permalink.gmane.org/gmane.mail.imap.courier.general/27589 You can replace the SQL statements with grep/awk on /etc/passwd These and other similar lines will need to be replaced = SQL=($(dosql SELECT uid,pw,mpath,mquota FROM passwd WHERE uid='$ID')) SQL=($(dosql SELECT uid,pw,mpath,mquota FROM passwd WHERE uid='$ID' AND pw='$PW')) To test if the passwd is correct (auth is OK), you can use the openssl command to generate an md5 hash and match with /etc/shadow (here i am assuming you script will run as root and can read /etc/shadow). There might be other ways to do this, but this one struck me easily. Yeah, I was also looking around for a command-line tool that will allow me to test authentication against PAM. Neither of the two tools I could find on the 'net (pamck and pamauth) seem to be easily available, keeping on looking. As a last resort one could use direct auth against {passwd,shadow}, but that would be absolutely the last resort. I'd rather make a Perl PAM script that does that before going into grep co! Regards, -- Raj -- Raj Mathurr...@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance Chill: http://schizoid.in/ || It is the mind that moves ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Virtual users mapped to system users
Hi Raj, why do you want to use /etc/password. use some enterprise directory to authenticate against. For an enterprise if it is large (or grows to lare enterprise ) having /etc/password replicated everywhere and in sync would be calling for trouble. use PAM + Openldap for directory and any authentication server(preferably kerberos or SAML based ) to authenticate. this would also help in lot of povisoning scenarions. cheers, abhishek From: r...@linux-delhi.org To: il...@frodo.hserus.net Date: Sat, 21 May 2011 12:30:43 +0530 Subject: Re: [ilugd] Virtual users mapped to system users On Saturday 21 May 2011, Varad Gupta wrote: Pls see = http://permalink.gmane.org/gmane.mail.imap.courier.general/27589 You can replace the SQL statements with grep/awk on /etc/passwd These and other similar lines will need to be replaced = SQL=($(dosql SELECT uid,pw,mpath,mquota FROM passwd WHERE uid='$ID')) SQL=($(dosql SELECT uid,pw,mpath,mquota FROM passwd WHERE uid='$ID' AND pw='$PW')) To test if the passwd is correct (auth is OK), you can use the openssl command to generate an md5 hash and match with /etc/shadow (here i am assuming you script will run as root and can read /etc/shadow). There might be other ways to do this, but this one struck me easily. Yeah, I was also looking around for a command-line tool that will allow me to test authentication against PAM. Neither of the two tools I could find on the 'net (pamck and pamauth) seem to be easily available, keeping on looking. As a last resort one could use direct auth against {passwd,shadow}, but that would be absolutely the last resort. I'd rather make a Perl PAM script that does that before going into grep co! Regards, -- Raj -- Raj Mathur r...@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance Chill: http://schizoid.in/ || It is the mind that moves ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Virtual users mapped to system users
On Sunday 22 May 2011, Abhishek Kumar wrote: why do you want to use /etc/password. use some enterprise directory to authenticate against. For an enterprise if it is large (or grows to lare enterprise ) having /etc/password replicated everywhere and in sync would be calling for trouble. use PAM + Openldap for directory and any authentication server(preferably kerberos or SAML based ) to authenticate. this would also help in lot of povisoning scenarions. In very simple terms, (a) I'm not being paid enough to implement enterprise authentication, and (b) the organisation doesn't want it. Regards, -- Raj -- Raj Mathurr...@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance Chill: http://schizoid.in/ || It is the mind that moves ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd
Re: [ilugd] Virtual users mapped to system users
On Saturday 21 May 2011, Varad Gupta wrote: I'm trying to set up an IMAP server for virtual users with the following characteristics: - Server is handling multiple mail domains, say foo.com and bar.com. - Mail for x...@foo.com gets delivered to system user x.foo.com; mail for x...@bar.com gets delivered to system user x.bar.com. Now is it possible to have an IMAP server handle logins of the form x...@foo.com and x...@bar.com and authenticate them against the corresponding system users x.foo.com and x.bar.com? A non-database solution would be preferred. So I finally solved the problem by automagically creating Courier user x...@foo.com and system user x.foo.com when required. This is achieved through a set of 4 Webmin Custom Command scripts which I'll be releasing under the GPL. The scripts are: 1. Create user (automatically creates system and Courier users) 2. Change password (automatically changes system and Courier passwords) 3. Show users in domain 4. Delete user (from both system and Courier) It's a bit of a hack, but it takes the user mapping process out of runtime and into user creation time, which seems preferable. Regards, -- Raj -- Raj Mathurr...@kandalaya.org http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance Chill: http://schizoid.in/ || It is the mind that moves ___ Ilugd mailing list Ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd