Summary: | sys-auth/pambase: LDAP authentication support | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Mike Nerone <mike> |
Component: | New packages | Assignee: | Mikle Kolyada (RETIRED) <zlogene> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | alexander, barzog, jlec, ldap-bugs, pam-bugs+disabled, sam |
Priority: | High | ||
Version: | 2008.0 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
Patch to pambase-20090620.1 source to add support for pam_ldap
Patch to pambase-20090620.1-r1.ebuild to enable LDAP support. Patch to pambase-20090620.1-r1.ebuild to enable LDAP support. Patch to pambase-20090620.1 source to add support for pam_ldap. git-formatted patch to pambase source |
Description
Mike Nerone
2009-08-16 20:30:31 UTC
Created attachment 201464 [details, diff]
Patch to pambase-20090620.1 source to add support for pam_ldap
For the ebuild patch that will follow, this file should be placed in pambase's $FILESDIR/20090620.1/ldap.patch.
Created attachment 201466 [details, diff]
Patch to pambase-20090620.1-r1.ebuild to enable LDAP support.
Created attachment 201473 [details, diff]
Patch to pambase-20090620.1-r1.ebuild to enable LDAP support.
Removed a completely unnecessary condition. Sorry about the repeat.
Almost forgot to credit the "Gentoo Guide to OpenLDAP Authentication" at http://www.gentoo.org/doc/en/ldap-howto.xml. My modifications to /etc/pam.d/system-auth are an adaptation of those suggested in that guide. Since I have no clue about LDAP auth at all, I'd like to ask our resident LDAP guys to take a look at that as well. Mike, instead of a patch inside the ebuild, the best thing would be to just patch pambase in its GIT repository ( http://git.overlays.gentoo.org/gitweb/?p=proj/pambase.git;a=summary ), so you also would be credited. Only please try to keep with the style (tabulation and alignment). Your ldap.patch is buggy that it keeps redeclaring "auth sufficent pam_ldap.so" Other than that, it's mostly ok. Depending on actual user needs, they might want to bring in the actual auth pam_ldap before auth pam_unix, with relevant changes to use_first_pass. Additionally, for the Gentoo infra, we do this for account: account required pam_unix.so account [success=done new_authtok_reqd=done perm_denied=bad default=ignore] pam_ldap.so I also agree with Diego, that feeding this upstream (via Diego) is probably best. Maybe check up on the other distro's integration of pam_ldap to see that the inclusion would work out best. Created attachment 201819 [details, diff]
Patch to pambase-20090620.1 source to add support for pam_ldap.
Doh! Can't believe I missed that. Cut and paste gone awry. :(
I have a git patch ready. Is simply attaching that here the right procedure to submit it for upstream since upstream is Diego?
Created attachment 202165 [details, diff]
git-formatted patch to pambase source
Diego emailed me to let me know I should attach the git-formatted source patch, so here it is.
Of course, the ebuild patch is needed, as well, except src_unpack() can be removed.
Comment on attachment 202165 [details, diff]
git-formatted patch to pambase source
It'll have to be reformed a bit, right now I added support for Kerberos auth, without using the sufficient stuff that would break desktop systems. The problem is integrating multiple stacks, I'll see what I can do.
Possibly implement LDAP just like kerberos is done, but with a check to make sure the USE flags are mutually exclusive (so that you can always use "success=1" instead of having to calculate how many lines to skip)? This type of structure wouldn't allow for authentication systems of more than one-service+unix, but such configurations have to be pretty rare, right? Right? :| Mike Nerone Actually, in the new pambase I'm working on (branch m4 of the git repo) there is support for multiple authentication systems without the need for calculating skip lines. What is the progress here? I would be interested in seeing this pushed to the tree. I haven't had time to work on this in a very long time: it's a time consuming job and I don't have a direct use of it... I tried getting funded to work on it but nobody seems to be interested in that.. feel free to pick up my m4 branch and work on it if you have the time and interest... I am really not experienced in pam, but I have interest in a easy straight forward way to setup pam. I will try to look into that, but be aware of questions from me. pam_ldap is rather nonsense to add to pambase, lets go for sss |