Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM questions. HELP!

From: Stephen Brandon <email@hidden>

OK, I am now a little more confused than before :-) But Jordan's answers
were a good start.

A couple of questions might help out me and others:

(1) is it possible to get hold of the source code for the ftpd used in MacOSX
Server 10.2.2? I now understand that it's NOT lukemftpd by default, though
lukemftpd is the defalt on OSX 10.2.2 client, and also comes with Server,
though is not used by default on Server. I have found a copy of an
alternative ftpd on opendarwin.org, but I have a feeling that this is not
exactly the same as that on OSX Server 10.2.2 [basically I want to add DS
support to the standard ftp as shipped on OSX Server 10.2.2, so I can use the
OSX Server tools for adminning the FTP server, but it looks like I can't at
the moment...]

The ftpd used on Mac OS X Server should work with LDAP and Directory Services without you having to modify the code. You need to use the LDAPv3 plug-in in Directory Access, and configure your server with no Password mapping (unless a crypt password is available).

I just tried this out with Mac OS X Server 10.2.2 with the stock ftpd and Apple's OpenLDAP server. It worked fine, so it should work for you too.

(2) in Darwin, there's a package of pam modules that includes a lot of stuff
that is not there on OSX 10.2.2 server or client, eg pam_directoryservice.
Why are these not shipped on MacOSX? Does it mean that they are not 100%
compatible with OSX 10.2.2? eg pam_directoryservice communicates with
DirectoryService via a mach port -- not the standard way described in the DS
docs, and I assume this means that DS must have mach communications enabled
in it, and I can't tell if it has this as shipped on MacOSX.

pam_directoryservice likely does not work on 10.2.x since the format for Directory Services Mach messages has changed since 10.1 and before. It is using direct Mach communication because at the time it was written, the Directory Services was not yet open source.

Now that DirectoryService is part of Darwin, it could be rewritten to just use the DirectoryService framework which would be a better approach. There is no guarantee that our Mach messaging will be consistent between releases, since it is used only for local communication.

However, I don't believe this should be necessary since the default setup sends PAM requests through SecurityServer which communicates with lookupd and DirectoryService as appropriate to do authentication.

(3) If I can simply compile the extra pam modules (eg pam_directoryservice),
what do I have to do to configure ftp to use pam_directoryservice.so? Do I
set up a file eg /etc/pam.d/ftp and basically copy the contents of
/etc/pam.d/sshd, or how do I know what filename I should use? Does this
filename depend on something hardwired into the pam calls within (lukem)ftpd?

Lastly, I have got loginwindow to authenticate quite happily to an openldap
server that relays requests to a Novell e-directory, and manufactures some
info (eg user ids) on the fly, so I at least have users logging in ok at the
console. It's just ftp etc that are a real pain at the moment.

I'm not sure how loginwindow could be working and FTP not given that loginwindow depends on both lookupd and DirectoryService while ftp is using lookupd only. Are you ftping to the same machine that you are logging in locally on?

-Jason
_______________________________________________
darwin-development mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-development
Do not post admin requests to the list. They will be ignored.


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.