[keycloak-dev] PAM integration with FreeIPA

Bruno Oliveira bruno at abstractj.org
Thu Jun 23 13:59:59 EDT 2016 

On 2016-06-23, John Dennis wrote:
> On 06/23/2016 10:00 AM, Bruno Oliveira wrote:
> > Good morning,
> >
> > One of the use case scenarios described for FreeIPA, is the integration via PAM
> > and SSSD, which "automagically" handles the authentication against the IdM.
> >
> > This first step requires pretty much an IPA setup, but
> > works with libpam4j[1]. Now, thinking about Keycloak, I
> > would like to have an Authenticator for PAM[2], which is pretty much our
> > UsernamePasswordForm + PAM. Does it make sense?
> >
> > Current flow:
> >
> > * User logs into Web application with username/password
> > * PAM authenticator collects data and authenticate against PAM
> > * SSSD authenticates against IdM
> > * Authentication is complete
> >
> > After the last step, should we propagate that user to our database?
> > Maybe, like Marek already mentioned, have a SSSDFederationProvider?
> >
> > [1] -
> > http://search.maven.org/#artifactdetails%7Corg.abstractj%7Clibpam4j%7C1.9.0%7Cjar
> > [2] - https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html
>
> Simo brought up a concern after forwarding this to our internal identity
> team list. His comment is:
>
> >
> > Current flow:
> >
> > * User logs into Web application with username/password
> > * PAM authenticator collects data and authenticate against PAM
>
> I am worried about how these 2 steps are expressed, it seem to imply PAM
> is used only as a username/password verifier.
> There is no mention/awarness of PAM conversations where we can prompt
> for things like second factors or password changes.

We discussed several scenarios with Dmitri, one of the most basic
scenario that he described is the following:

* AD user starts browser and connects to a resource
* Resource redirects to Keycloak
* User is presented with a login form
* User fills username and password
* User data is collected and passed to SSSD over D-Bus
* SSSD authenticates against AD via IdM, user data is returned from AD and IdM

After some talk, we agreed that this should happen with PAM, because
today there's no way to pass arguments to SSSD.

* Authentication complete
* Assertion/token is issued
* User is redirected to the resource

OTP is covered and properly described for other scenarios and will be
taken into consideration when I start to look at this.

>
>
>
> --
> John

--

abstractj
PGP: 0x84DC9914

More information about the keycloak-dev mailing list