 HylaFAX The world's
most advanced open source fax server
|
[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]
Re: [hylafax-users] PAM authentication and JobProtection
- To: Lee Howard <faxguy@xxxxxxxxxxxxxxxx>
- Subject: Re: [hylafax-users] PAM authentication and JobProtection
- From: Aidan Van Dyk <aidan@xxxxxxxx>
- Cc: Giuseppe Sacco <giuseppe@xxxxxxxxxxxxxxxxxxxxxxxxx>, Joshua Kinard <jkinard@xxxxxxxxxxx>, hylafax-users@xxxxxxxxxxx
- Date: Fri, 10 Dec 2010 12:00:47 -0500
On Fri, Dec 10, 2010 at 11:00 AM, Lee Howard <faxguy@xxxxxxxxxxxxxxxx> wrote: >> Do you think a new attribute in ldap would help? I mean, it would be >> possibile to add a faxGroup attribute to the currently used LDAP schema >> (is it posixUser?) and use it as hylafax uid? Of course it will not be >> usable via PAM, but it could be used when hylafax+ directly access LDAP. >> > > Yes, this is certainly possible, but I think it requires code development > work. And in my way of thinking if someone is going to do some development > work for this then that could be best-spent implementing a feature that > works for all authentication methods (both PAM and LDAP). So that's how I'd > spend *my* time trying to resolve it rather than developing something > specific to LDAP. PAM is "authentication only". So, on systems that use LDAP for system users, etc, you always have to couple libpam-ldap and libnss-ldap. PAM provides the "authentication" half, and then NSS provided all the "name services" like unix user/group. Where this get's "messy" is that PAM has service-based configuration options, but NSS is only "global". So if we wanted to get HylaFAX to retrieve uid information in the "PAM" model, after it authenticates, it would call getpwname(the_user). The problem is that PAM allows the "hylafax" service to have it's own config separate from everything else (i.e. not common-auth, etc), but NSS doesn't. So if we don't want to require the *system* to use LDAP for NSS, we're going to have to go directly to "backend direct" like LDAP. Of course, that means we loose the ability to plug into anything else easily (like databases, pwdfile, etc). That means moving from runtime flexibility, to compile-time selection of what to include. If we want to go that way, we really should go to a "loadable module" type interface, so that packagers don't have to force HylaFAX to depend on everything (like all of ldap, libmysql, libpq, and whatever type of authentication mechanism we decide to build in directly). a. ____________________ HylaFAX(tm) Users Mailing List _______________________ To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null *To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*
- Follow-Ups:
- Re: [hylafax-users] PAM authentication and JobProtection
- From: Giuseppe Sacco
- Re: [hylafax-users] PAM authentication and JobProtection
- References:
- [hylafax-users] PAM authentication and JobProtection
- From: Giuseppe Sacco
- Re: [hylafax-users] PAM authentication and JobProtection
- From: Lee Howard
- Re: [hylafax-users] PAM authentication and JobProtection
- From: Giuseppe Sacco
- Re: [hylafax-users] PAM authentication and JobProtection
- From: Lee Howard
- [hylafax-users] PAM authentication and JobProtection
- Prev by Date: Re: [hylafax-users] R: V.21 signal reception timeout +FCERROR
- Next by Date: Re: [hylafax-users] t38modem & hylafax issue
- Previous by thread: Re: [hylafax-users] PAM authentication and JobProtection
- Next by thread: Re: [hylafax-users] PAM authentication and JobProtection
- Index(es):
Project hosted by iFAX Solutions