[keycloak-dev] PAM integration with FreeIPA
John Dennis
jdennis at redhat.com
Fri Jun 24 10:54:37 EDT 2016
On 06/24/2016 10:02 AM, Stian Thorgersen wrote:
> We can support authentication over multiple steps as we already do that
> for OTP. However, the problem will be with regards to the conversation
> as this would require sticky sessions if clustered to make sure the
> second step is sent to the same node. Can't PAM verify the two
> independently? First password, then separately OTP? That would make it
> much simpler and stateless.
PAM is implemented as a C language library running in the address space
of a single process (remember I said it was 20 years old :-). The state
is kept in the address space of that process. That is the primary
limitation and would really restrict you with regards to distributing
the conversation across processes.
I'd don't know if anyone has tried to address this, perhaps others in
our group would know. It's been years since I coded PAM I hope my
recollections are correct on all accounts.
This constraint should not be an issue for simple username/password auth
because the PAM conversation can be completed as part of one single HTTP
request.
My thought here (but I don't have the final say) is let's not worry
about this for the first implementation. If we can avoid boxing
ourselves in by some implementation design choice we should take it into
consideration if possible.
--
John
More information about the keycloak-dev
mailing list