Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM questions. HELP!

OK, I am now a little more confused than before :-) But Jordan's answers
were a good start.

A couple of questions might help out me and others:

(1) is it possible to get hold of the source code for the ftpd used in MacOSX
Server 10.2.2? I now understand that it's NOT lukemftpd by default, though
lukemftpd is the defalt on OSX 10.2.2 client, and also comes with Server,
though is not used by default on Server. I have found a copy of an
alternative ftpd on opendarwin.org, but I have a feeling that this is not
exactly the same as that on OSX Server 10.2.2 [basically I want to add DS
support to the standard ftp as shipped on OSX Server 10.2.2, so I can use the
OSX Server tools for adminning the FTP server, but it looks like I can't at
the moment...]

(2) in Darwin, there's a package of pam modules that includes a lot of stuff
that is not there on OSX 10.2.2 server or client, eg pam_directoryservice.
Why are these not shipped on MacOSX? Does it mean that they are not 100%
compatible with OSX 10.2.2? eg pam_directoryservice communicates with
DirectoryService via a mach port -- not the standard way described in the DS
docs, and I assume this means that DS must have mach communications enabled
in it, and I can't tell if it has this as shipped on MacOSX.

(3) If I can simply compile the extra pam modules (eg pam_directoryservice),
what do I have to do to configure ftp to use pam_directoryservice.so? Do I
set up a file eg /etc/pam.d/ftp and basically copy the contents of
/etc/pam.d/sshd, or how do I know what filename I should use? Does this
filename depend on something hardwired into the pam calls within (lukem)ftpd?

Lastly, I have got loginwindow to authenticate quite happily to an openldap
server that relays requests to a Novell e-directory, and manufactures some
info (eg user ids) on the fly, so I at least have users logging in ok at the
console. It's just ftp etc that are a real pain at the moment.

Thanks for any answers,
Stephen Brandon


On Wednesday 27 November 2002 20:17, Jordan Hubbard wrote:
> Short answer: You don't. LoginWindow doesn't use PAM, only the "Unix
> side" of the house does, e.g. ssh and a console login or other form of
> remote login. For LoginWindow, you need to write a security frameworks
> plug-in. Once you do that, PAM will use it since the default PAM
> authentication path includes a pam_securityframework plugin which jumps
> over to the security frameworks mechanism rather quickly.
>
> As to the why, it's pretty simple. Mac OS X was set up to use security
> frameworks, which also provides a chain of plug-ins based
> authentication scheme, well before PAM was introduced. Rather than
> have parallel mechanisms or a reference-counted, loop-detecting scheme
> which allowed security frameworks to chain to PAM and vice-versa
> without causing authentication loops, it was deemed simpler to have one
> be the default and just chain the mechanisms in a "Y" configuration.
>
> If that causes a lot of confusion going forward, I guess we could
> always write a security frameworks module which links to PAM at the
> very end of the chain, adding some extra hair to do the loop detection,
> but it's probably more work than it's worth unless people prove highly
> adverse to writing security frameworks plug-ins.
>
> - Jordan
>
> On Wednesday, November 27, 2002, at 07:56 AM, Sean wrote:
> > So How the heck do you get the login window to use PAM to authenicate
> > and
> > authorize for the Jaguar login window? I mean the more I read the less
_______________________________________________
darwin-development mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-development
Do not post admin requests to the list. They will be ignored.


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.