Local unix user authentication
186 views
Skip to first unread message
caruccio
May 15, 2012, 3:18:20 PM5/15/12
to gito...@googlegroups.com
Hello everybody.
Sorry for my just-joined-and-start-posting behavior, but that was really necessary :(
Long story short: I need to authenticate my gitorious web clients against local unix users (in fact, it uses LDAP/PAM).
Is it possible? Where can I find help on this topic?
That LDAPAuthenticator is not enough. My IT department is all about 'internal policies' and I need to fit their requirements.
PS: I'm completely illiterate in ruby. Maybe it's time to learn some .rb :P
Thanks for any help,
Mateus Caruccio
Rodrigo Rosenfeld Rosas
May 15, 2012, 3:54:18 PM5/15/12
to gito...@googlegroups.com
Em 15-05-2012 16:18, caruccio escreveu:
> Hello everybody.
>
> Sorry for my just-joined-and-start-posting behavior, but that was
> really necessary :(
>
> Long story short: I need to authenticate my gitorious web clients
> against local unix users (in fact, it uses LDAP/PAM).
>
> Is it possible? Where can I find help on this topic?
> That LDAPAuthenticator is not enough. My IT department is all about
> 'internal policies' and I need to fit their requirements.
>
I don't have a clue about how the current LDAP support works, but
> Hello everybody.
>
> Sorry for my just-joined-and-start-posting behavior, but that was
> really necessary :(
>
> Long story short: I need to authenticate my gitorious web clients
> against local unix users (in fact, it uses LDAP/PAM).
>
> Is it possible? Where can I find help on this topic?
> That LDAPAuthenticator is not enough. My IT department is all about
> 'internal policies' and I need to fit their requirements.
>
certainly the people that do have won't be able to help you unless you
explain why LDAPAuthenticator is not enough.
Best,
Rodrigo.
caruccio
May 16, 2012, 8:16:17 AM5/16/12
to gito...@googlegroups.com
Because the machine already authenticates against LDAP (via PAM), and our IT do not accept duplicated configuration for the simple purpose of authentication (what makes sense for me).
I really want to use gitorious and become freed of manual git management.
Last week I almost did a 'rm -r * module' (note an extra space between '*' and 'module') on our entire repository.
Sebastian Otaegui
May 16, 2012, 8:25:25 AM5/16/12
to gito...@googlegroups.com
How is authenticating directly against ldap duplicated configuration?
--
To post to this group, send email to gito...@googlegroups.com
To unsubscribe from this group, send email to
gitorious+...@googlegroups.com
Those who do not understand Unix are condemned to reinvent it, poorly.
Any sufficiently recent Microsoft OS contains an ad hoc, informally-specified, bug-ridden, slow implementation of half of Unix.
caruccio
May 16, 2012, 9:54:14 AM5/16/12
to gito...@googlegroups.com
Can I use (import) my existing LDAP configuration into gitorious automatically?
If not, it will be duplicated: one in /etc/ldap.conf and another in authentication.yml
I mean, two files with same information is redundant information (not good).
I mean, two files with same information is redundant information (not good).
On Wednesday, May 16, 2012 9:25:25 AM UTC-3, Sebastian Otaegui wrote:
How is authenticating directly against ldap duplicated configuration?
On Wed, May 16, 2012 at 7:16 AM, caruccio <m...@caruccio.com> wrote:
Because the machine already authenticates against LDAP (via PAM), and our IT do not accept duplicated configuration for the simple purpose of authentication (what makes sense for me).I really want to use gitorious and become freed of manual git management.Last week I almost did a 'rm -r * module' (note an extra space between '*' and 'module') on our entire repository.
--On Tuesday, May 15, 2012 4:18:20 PM UTC-3, caruccio wrote:Hello everybody.Sorry for my just-joined-and-start-posting behavior, but that was really necessary :(Long story short: I need to authenticate my gitorious web clients against local unix users (in fact, it uses LDAP/PAM).Is it possible? Where can I find help on this topic?That LDAPAuthenticator is not enough. My IT department is all about 'internal policies' and I need to fit their requirements.PS: I'm completely illiterate in ruby. Maybe it's time to learn some .rb :PThanks for any help,Mateus Caruccio
To post to this group, send email to gito...@googlegroups.com
To unsubscribe from this group, send email to
Rodrigo Rosenfeld Rosas
May 16, 2012, 10:07:56 AM5/16/12
to gito...@googlegroups.com
Then I wish you luck on any software with authentication that you
intend to integrate to your server.
caruccio
May 16, 2012, 10:23:05 AM5/16/12
to gito...@googlegroups.com
All my software already integrate fine because I use PAM as my "auth gateway".
What I'm trying to point out is that gitorious could have a more "standard" authentication module, like PAM, out of the box (please note it's not a demand, only an observation).
Rodrigo Rosenfeld Rosas
May 16, 2012, 10:41:56 AM5/16/12
to gito...@googlegroups.com
I'd argument that LDAP is as standard as PAM. I don't understand why
you think that PAM is more "standard" than LDAP.
It is pretty common practice to re-enter the authentication settings on each system you are integrating, just like it happens on Redmine, ChiliProject and all other web systems I know about.
I don't consider this a duplication in the same sense when we talk about programming.
You can consider writing a Chef recipe that will set up your server for you. That way you would enter the credential settings in a single place and your chef recipe would replicate them to each configured application.
But the most important thing is that this is no valid argument for not using an application just because it doesn't integrate to PAM IMO.
That is why I'm wishing you good luck on trying to convince someone to add support to PAM authentication for free just to make you happy.
You can also try hire the Gitorious company to integrate it to PAM:
http://gitorious.com/
That would be more likely to work if this is so important to you.
Kind regards,
Rodrigo.
It is pretty common practice to re-enter the authentication settings on each system you are integrating, just like it happens on Redmine, ChiliProject and all other web systems I know about.
I don't consider this a duplication in the same sense when we talk about programming.
You can consider writing a Chef recipe that will set up your server for you. That way you would enter the credential settings in a single place and your chef recipe would replicate them to each configured application.
But the most important thing is that this is no valid argument for not using an application just because it doesn't integrate to PAM IMO.
That is why I'm wishing you good luck on trying to convince someone to add support to PAM authentication for free just to make you happy.
You can also try hire the Gitorious company to integrate it to PAM:
http://gitorious.com/
That would be more likely to work if this is so important to you.
Kind regards,
Rodrigo.
caruccio
May 16, 2012, 10:59:55 AM5/16/12
to gito...@googlegroups.com
You are right. There is no "this is more/less standard than that".
But, when talking about something so basic, so widespread and common, like authentication, for me (and that is my personal opinion) seams much more logic to start implementing the common-case.
LDAP, and this is a fact, is not as common as passwd authentication, so I'd start by authenticating local users, then moving to PAM, LDAP and database authentication. It's just a point of increasing complexity.
Of course I can do it myself, or pay someone at gitorious.org to do it for me, but hey, this is internet! Probably someone, somewhere has done it already by simple pleasure (as I did before in other's projects). Why not reuse?
Rodrigo Rosenfeld Rosas
May 16, 2012, 11:18:27 AM5/16/12
to gito...@googlegroups.com
Em 16-05-2012 11:59, caruccio escreveu:
You are right. There is no "this is more/less standard than that".But, when talking about something so basic, so widespread and common, like authentication, for me (and that is my personal opinion) seams much more logic to start implementing the common-case.
LDAP, and this is a fact, is not as common as passwd authentication, so I'd start by authenticating local users, then moving to PAM, LDAP and database authentication. It's just a point of increasing complexity.
This is the first time I see someone requesting for PAM
authentication in this list. In the other side there was a number of
requests for LDAP support before it was implemented. So I don't
understand why you think PAM is more common than LDAP.
If you also take a look at other projects, there are a number of them that do support LDAP, but I can't remember of an open-source web application that is integrated to PAM.
I'm pretty sure that if you tell us what would be required to integrate to PAM, someone could be interested on doing so. People here know about Ruby, but not about PAM. If you know about PAM, but not about Ruby, explaining how it works in implementation level detailed requirements, I guess that would make this effort happen.
If you also take a look at other projects, there are a number of them that do support LDAP, but I can't remember of an open-source web application that is integrated to PAM.
I'm pretty sure that if you tell us what would be required to integrate to PAM, someone could be interested on doing so. People here know about Ruby, but not about PAM. If you know about PAM, but not about Ruby, explaining how it works in implementation level detailed requirements, I guess that would make this effort happen.
I said gitorious,com, not gitorious.org.
but hey, this is internet! Probably someone, somewhere has done it already by simple pleasure (as I did before in other's projects). Why not reuse?
Show us some open-source Ruby application that already integrates to
PAM and we could try to make it happen on Gitorious as well :)
Cheers,
Rodrigo.
Cheers,
Rodrigo.
Rodrigo Rosenfeld Rosas
May 16, 2012, 11:27:49 AM5/16/12
to gito...@googlegroups.com
Rodrigo Rosenfeld Rosas
May 16, 2012, 11:31:51 AM5/16/12
to gito...@googlegroups.com
This worked for my local passwords:
sudo apt-get install libpam-dev
gem install rpam-ruby19
ruby -rrpam -e "p Rpam.auth 'rodrigo', 'password'"
sudo apt-get install libpam-dev
gem install rpam-ruby19
ruby -rrpam -e "p Rpam.auth 'rodrigo', 'password'"
Rodrigo Rosenfeld Rosas
May 16, 2012, 11:37:51 AM5/16/12
to gito...@googlegroups.com
Just a note about popularity of PAM:
https://github.com/intridea/omniauth/wiki/List-of-Strategies
The omniauth gem seems to support a number of authentication strategies, but PAM is not among them :)
But I can understand your motivation, although particularly I'd prefer to integrate directly to LDAP if I were you.
Cheers,
Rodrigo.
https://github.com/intridea/omniauth/wiki/List-of-Strategies
The omniauth gem seems to support a number of authentication strategies, but PAM is not among them :)
But I can understand your motivation, although particularly I'd prefer to integrate directly to LDAP if I were you.
Cheers,
Rodrigo.
Reply all
Reply to author
Forward
0 new messages