If I enable the PAM plugin of 389-ds, I'm able to let users be
authenticated by PAM, even if the user is not present il LDAP, hence the
plain-text password is passed to PAM.
The only missing step is: if PAM correctly authenticates a non-existing
user, it should be created (using the just
On Thu, 09 Jul 2015, Nicola Canepa wrote:
If I enable the PAM plugin of 389-ds, I'm able to let users be
authenticated by PAM, even if the user is not present il LDAP, hence
the plain-text password is passed to PAM.
The only missing step is: if PAM correctly authenticates a
non-existing user,
On 07/09/2015 08:36 AM, Nicola Canepa wrote:
If I enable the PAM plugin of 389-ds, I'm able to let users be
authenticated by PAM, even if the user is not present il LDAP, hence
the plain-text password is passed to PAM.
The only missing step is: if PAM correctly authenticates a
non-existing
On Thu, Jul 09, 2015 at 11:33:23AM +0200, Nicola Canepa wrote:
Hello.
I was trying Freeipa as an addition and (maybe) future replacement for the
current SSO solution (custom and only for web apps).
I was able to authenticate (via pam_exec) LDAP users on the legacy system.
My problem is with
Nicola,
perhaps it would help if you explain what did you mean by saying below
My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP
users not created by IPA.
When you enabled migration mode and actually migrated users with 'ipa
migrate-ds' command, you will have those
OK, I'm sorry for the little information provided: I can't do
migrate-ds, since I'm not coming from a DS (which can only be another
LDAP server, I guess).
The only thing I can expect is that users will login to one of the
applicazions which I put under FreeIPA authentication.
So I mixed the NIS
Hello.
I was trying Freeipa as an addition and (maybe) future replacement for
the current SSO solution (custom and only for web apps).
I was able to authenticate (via pam_exec) LDAP users on the legacy system.
My problem is with Kerberos and FreeIPA web GUI, which don't accept LDAP
users not
Thank you Alexander.
If the previous password is not used, I could set an impossible-hash
password (such as {crypt}*) and let users login authenticating trhough
PAM?
Or I could put the user-add in the pam_exec script (but only if the
user does not already exists).
I'll test both ways.
On Thu, 09 Jul 2015, Nicola Canepa wrote:
Thank you Alexander.
If the previous password is not used, I could set an impossible-hash
password (such as {crypt}*) and let users login authenticating
trhough PAM?
How would you authenticate then? Remember that it is the hash in
userPassword
On Thu, 09 Jul 2015, Nicola Canepa wrote:
OK, I'm sorry for the little information provided: I can't do
migrate-ds, since I'm not coming from a DS (which can only be
another LDAP server, I guess).
The only thing I can expect is that users will login to one of the
applicazions which I put under
10 matches
Mail list logo
