Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM questions. HELP!

Stephen,

I tried this with our Directory Service plug-in, and it doesn't work. I
know it is looking up user info using our plugin, but I'm guessing that ftpd
tries to verify the user's password by itself? That should be easy to
verify in the source code (Apple).

My plug-in never gets a call to verify the password when I connect into my
computer using ftp (and I am using a login name that does match up with my
plugin). Logging in through the login window does work with my plugin.


--
Paul W. Nelson
Thursby Software Systems, Inc.

> From: Stephen Brandon <email@hidden>
> Date: Tue, 3 Dec 2002 22:05:54 +0000
> To: Jason Townsend <email@hidden>, email@hidden
> Subject: Re: PAM questions. HELP!
>
> Jason,
>
> I assure you, ftpd on my MacOSX Server is NOT accepting names and passwords
> via authentication in LDAP, despite being set up to authenticate via
> Directory Setup. I see from my LDAP logs that some info is requested, but a
> BIND does not appear to be attempted (as it would have to - I have not mapped
> the password attribute, and it has been removed).
>
> All my client machines which also point to this same server via
> DirectorySetup are very happy to log in at the console.
>
> Part of the problem, actually, may be that the LDAPv3 plugin makes only a
> single connection to the server, and if that breaks for any reason the client
> must be rebooted. So because the server in this case is the same as the
> client, I wonder in what order they both get started up at bootup. To try to
> avoid this I have set up both the LDAPv2 and the LDAPv3 plugin to
> authenticate to the server, as the LDAPv2 plugin seems less picky (though is
> more buggy for many operations, like console login).
>
> Does this make any sense to you?
>
> I can provide more info...
>
> Cheers,
> Stephen
>
>
> On Tuesday 03 December 2002 21:49, Jason Townsend wrote:
>>> From: Stephen Brandon <email@hidden>
>>>
>>> OK, I am now a little more confused than before :-) But Jordan's
>>> answers
>>> were a good start.
>>>
>>> A couple of questions might help out me and others:
>>>
>>> (1) is it possible to get hold of the source code for the ftpd used in
>>> MacOSX
>>> Server 10.2.2? I now understand that it's NOT lukemftpd by default,
>>> though
>>> lukemftpd is the defalt on OSX 10.2.2 client, and also comes with
>>> Server,
>>> though is not used by default on Server. I have found a copy of an
>>> alternative ftpd on opendarwin.org, but I have a feeling that this is
>>> not
>>> exactly the same as that on OSX Server 10.2.2 [basically I want to
>>> add DS
>>> support to the standard ftp as shipped on OSX Server 10.2.2, so I can
>>> use the
>>> OSX Server tools for adminning the FTP server, but it looks like I
>>> can't at
>>> the moment...]
>>
>> The ftpd used on Mac OS X Server should work with LDAP and Directory
>> Services without you having to modify the code. You need to use the
>> LDAPv3 plug-in in Directory Access, and configure your server with no
>> Password mapping (unless a crypt password is available).
>>
>> I just tried this out with Mac OS X Server 10.2.2 with the stock ftpd
>> and Apple's OpenLDAP server. It worked fine, so it should work for you
>> too.
>>
>>> (2) in Darwin, there's a package of pam modules that includes a lot of
>>> stuff
>>> that is not there on OSX 10.2.2 server or client, eg
>>> pam_directoryservice.
>>> Why are these not shipped on MacOSX? Does it mean that they are not
>>> 100%
>>> compatible with OSX 10.2.2? eg pam_directoryservice communicates with
>>> DirectoryService via a mach port -- not the standard way described in
>>> the DS
>>> docs, and I assume this means that DS must have mach communications
>>> enabled
>>> in it, and I can't tell if it has this as shipped on MacOSX.
>>
>> pam_directoryservice likely does not work on 10.2.x since the format
>> for Directory Services Mach messages has changed since 10.1 and before.
>> It is using direct Mach communication because at the time it was
>> written, the Directory Services was not yet open source.
>>
>> Now that DirectoryService is part of Darwin, it could be rewritten to
>> just use the DirectoryService framework which would be a better
>> approach. There is no guarantee that our Mach messaging will be
>> consistent between releases, since it is used only for local
>> communication.
>>
>> However, I don't believe this should be necessary since the default
>> setup sends PAM requests through SecurityServer which communicates with
>> lookupd and DirectoryService as appropriate to do authentication.
>>
>>> (3) If I can simply compile the extra pam modules (eg
>>> pam_directoryservice),
>>> what do I have to do to configure ftp to use pam_directoryservice.so?
>>> Do I
>>> set up a file eg /etc/pam.d/ftp and basically copy the contents of
>>> /etc/pam.d/sshd, or how do I know what filename I should use? Does this
>>> filename depend on something hardwired into the pam calls within
>>> (lukem)ftpd?
>>>
>>> Lastly, I have got loginwindow to authenticate quite happily to an
>>> openldap
>>> server that relays requests to a Novell e-directory, and manufactures
>>> some
>>> info (eg user ids) on the fly, so I at least have users logging in ok
>>> at the
>>> console. It's just ftp etc that are a real pain at the moment.
>>
>> I'm not sure how loginwindow could be working and FTP not given that
>> loginwindow depends on both lookupd and DirectoryService while ftp is
>> using lookupd only. Are you ftping to the same machine that you are
>> logging in locally on?
>>
>> -Jason
> _______________________________________________
> darwin-development mailing list | email@hidden
> Help/Unsubscribe/Archives:
> http://www.lists.apple.com/mailman/listinfo/darwin-development
> Do not post admin requests to the list. They will be ignored.
_______________________________________________
darwin-development mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-development
Do not post admin requests to the list. They will be ignored.
References: 
 >Re: PAM questions. HELP! (From: Stephen Brandon <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.