[keycloak-dev] PAM integration with FreeIPA

Bruno Oliveira bruno at abstractj.org
Thu Jun 23 13:56:20 EDT 2016


I'm not sure if I follow your question. Do you mean using two channels
to authenticate a user? Could you please elaborate more?


On 2016-06-23, Bill Burke wrote:
> In this scenario, can a user be looked up out of band?  Meaning, out of
> band of the authentication process?
>
> On 6/23/16 10:00 AM, Bruno Oliveira wrote:
> > Good morning,
> >
> > One of the use case scenarios described for FreeIPA, is the integration via PAM
> > and SSSD, which "automagically" handles the authentication against the IdM.
> >
> > This first step requires pretty much an IPA setup, but
> > works with libpam4j[1]. Now, thinking about Keycloak, I
> > would like to have an Authenticator for PAM[2], which is pretty much our
> > UsernamePasswordForm + PAM. Does it make sense?
> >
> > Current flow:
> >
> > * User logs into Web application with username/password
> > * PAM authenticator collects data and authenticate against PAM
> > * SSSD authenticates against IdM
> > * Authentication is complete
> >
> > After the last step, should we propagate that user to our database?
> > Maybe, like Marek already mentioned, have a SSSDFederationProvider?
> >
> > [1] -
> > http://search.maven.org/#artifactdetails%7Corg.abstractj%7Clibpam4j%7C1.9.0%7Cjar
> > [2] - https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html
> >
> >
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

--

abstractj
PGP: 0x84DC9914


More information about the keycloak-dev mailing list