[keycloak-dev] PAM integration with FreeIPA

Bill Burke bburke at redhat.com
Thu Jun 23 11:58:21 EDT 2016


In this scenario, can a user be looked up out of band?  Meaning, out of 
band of the authentication process?

On 6/23/16 10:00 AM, Bruno Oliveira wrote:
> Good morning,
>
> One of the use case scenarios described for FreeIPA, is the integration via PAM
> and SSSD, which "automagically" handles the authentication against the IdM.
>
> This first step requires pretty much an IPA setup, but
> works with libpam4j[1]. Now, thinking about Keycloak, I
> would like to have an Authenticator for PAM[2], which is pretty much our
> UsernamePasswordForm + PAM. Does it make sense?
>
> Current flow:
>
> * User logs into Web application with username/password
> * PAM authenticator collects data and authenticate against PAM
> * SSSD authenticates against IdM
> * Authentication is complete
>
> After the last step, should we propagate that user to our database?
> Maybe, like Marek already mentioned, have a SSSDFederationProvider?
>
> [1] -
> http://search.maven.org/#artifactdetails%7Corg.abstractj%7Clibpam4j%7C1.9.0%7Cjar
> [2] - https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html
>
>
>
> --
>
> abstractj
> PGP: 0x84DC9914
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list