HylaFAX The world's
most advanced open source fax server
|
|
[
Date Prev][
Date Next][
Thread Prev][
Thread Next]
[
Date Index]
[
Thread Index]
Re: [hylafax-users] PAM authentication and JobProtection
On Fri, Dec 10, 2010 at 11:00 AM, Lee Howard <faxguy@xxxxxxxxxxxxxxxx> wrote:
>> Do you think a new attribute in ldap would help? I mean, it would be
>> possibile to add a faxGroup attribute to the currently used LDAP schema
>> (is it posixUser?) and use it as hylafax uid? Of course it will not be
>> usable via PAM, but it could be used when hylafax+ directly access LDAP.
>>
>
> Yes, this is certainly possible, but I think it requires code development
> work. And in my way of thinking if someone is going to do some development
> work for this then that could be best-spent implementing a feature that
> works for all authentication methods (both PAM and LDAP). So that's how I'd
> spend *my* time trying to resolve it rather than developing something
> specific to LDAP.
PAM is "authentication only". So, on systems that use LDAP for system
users, etc, you always have to couple libpam-ldap and libnss-ldap.
PAM provides the "authentication" half, and then NSS provided all the
"name services" like unix user/group.
Where this get's "messy" is that PAM has service-based configuration
options, but NSS is only "global". So if we wanted to get HylaFAX to
retrieve uid information in the "PAM" model, after it authenticates,
it would call getpwname(the_user). The problem is that PAM allows
the "hylafax" service to have it's own config separate from everything
else (i.e. not common-auth, etc), but NSS doesn't.
So if we don't want to require the *system* to use LDAP for NSS, we're
going to have to go directly to "backend direct" like LDAP. Of
course, that means we loose the ability to plug into anything else
easily (like databases, pwdfile, etc). That means moving from runtime
flexibility, to compile-time selection of what to include. If we want
to go that way, we really should go to a "loadable module" type
interface, so that packagers don't have to force HylaFAX to depend on
everything (like all of ldap, libmysql, libpq, and whatever type of
authentication mechanism we decide to build in directly).
a.
____________________ HylaFAX(tm) Users Mailing List _______________________
To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null
*To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*