[keycloak-dev] PAM integration with FreeIPA
John Dennis
jdennis at redhat.com
Thu Jun 23 12:25:42 EDT 2016
On 06/23/2016 10:00 AM, Bruno Oliveira wrote:
> Good morning,
>
> One of the use case scenarios described for FreeIPA, is the integration via PAM
> and SSSD, which "automagically" handles the authentication against the IdM.
>
> This first step requires pretty much an IPA setup, but
> works with libpam4j[1]. Now, thinking about Keycloak, I
> would like to have an Authenticator for PAM[2], which is pretty much our
> UsernamePasswordForm + PAM. Does it make sense?
>
> Current flow:
>
> * User logs into Web application with username/password
> * PAM authenticator collects data and authenticate against PAM
> * SSSD authenticates against IdM
> * Authentication is complete
>
> After the last step, should we propagate that user to our database?
> Maybe, like Marek already mentioned, have a SSSDFederationProvider?
>
> [1] -
> http://search.maven.org/#artifactdetails%7Corg.abstractj%7Clibpam4j%7C1.9.0%7Cjar
> [2] - https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html
Simo brought up a concern after forwarding this to our internal identity
team list. His comment is:
>
> Current flow:
>
> * User logs into Web application with username/password
> * PAM authenticator collects data and authenticate against PAM
I am worried about how these 2 steps are expressed, it seem to imply PAM
is used only as a username/password verifier.
There is no mention/awarness of PAM conversations where we can prompt
for things like second factors or password changes.
--
John
More information about the keycloak-dev
mailing list