Contribution: authentication via PAM (class Pluf_Auth_PAMBackend)

[Mateus Caruccio]

Hi,

Since I need to authenticate using PAM, I decided to write the class Pluf_Auth_PamBackend (attached).

It is based on Pluf_Auth_LdapBackend.

Upon logging, If user do not exists inside inDefero's database, it is created just like LdapBackend does.

However, PAM do not store user information like user's first and last name.

To circumvent this, the class will look for it using posix_getpwnam()'s field 'gecos' and 'name'.

If it still not find a usable name, it will split the login (the same used to log into indefero)

and set it as first/last names (Ex: login='john.doe' becomes first='John' and last='Doe').

If it fails, the login is used as last name only (Ex: login='john' becomes first=''' and last='John' - I assume this behavior because I think a user MUST have a lastname upon registering, please could someone confirm that?).

The module has only one configuration:

   auth_pam_email_server:

      hostname side for default email server of newly registered users (first login via PAM).

      A new logged user will then be created with email "john...@example.com".

      Default="example.com".

For this to work, one must install:

   - php module pam (http://pecl.php.net/package/PAM);

   - package php-process (CentOS only?) which contains posix_*() functions. Try it out with:

          $ echo '<?php posix_getpwnam("");?>' | php

 (Keep in mind some distributions may not be PAM-aware)

One problem is that users created inside indefero's database (after login via PAM) will be completely disconnected from it's PAM counterpart, i.e., password change in one system will have no effect inside the other system. More work is needed to better integrate PAM to indefero (extend Pluf_User class as Pluf_Pam_User ? any ideias?).

Have fun,

Mateus Caruccio

PS: Please, note I'm not a PHP programmer, so I may have produced "weird" code ;)