User story #6230
closed
Proposal: PAM authentication
Description
Rudder is almost our only web application that has local authentication only. Most of our other web applications talk to PAM or have the ability to set authentication to HTTP auth, and then Apache talks to PAM by using htaccess. That's how Zabbix does it; it has the possibility to set authentication to HTTP auth. In our case PAM is configured to talk to winbind, which then talks to Active Directory. And, as a side note, IMHO it would be nice to the users to move auth configuration to the web application.
Updated by François ARMAND almost 10 years ago
- Subject changed from Proposal: more advanced authentication to Proposal: PAM authentication
- Target version changed from 2.11.7 to 3.1.0~beta1
Denis,
You can't use PAM authentication for now (but patches or sponsored dev are welcomed!).
Nonetheless, you can use LDAP/Active Directory authentication: http://www.rudder-project.org/rudder-doc-2.11/rudder-doc.html#ldap-auth-provider.
The authorization are still to be configured locally, of course.
And, as a side note, IMHO it would be nice to the users to move auth configuration to the web application.
It's something we need to do, yes.
Updated by Benoît PECCATTE over 9 years ago
Using pam may be a bit difficult since authentication is done within the scala application.
Moreover, authenticating on a web application with local user seems a bit weird to me.
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 3.1.0~rc1 to 3.1.0
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 3.1.0 to 3.1.1
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 3.1.1 to 3.1.2
Updated by Jonathan CLARKE over 9 years ago
- Target version changed from 3.1.2 to Ideas (not version specific)
Updated by Matthieu CERDA about 9 years ago
- Has duplicate User story #7147: Can Rudder Jetty talk AD? added
Updated by Matthieu CERDA about 9 years ago
I guess we should do what SSO-enabled applications do: give the possibility in the application to use the HTTP REMOTE_USER variable, delegating the task of authenticating the user to the application server or an upper layer (like Apache).
Obviously, special warning should be issued to the user: In this mode, Rudder will trust blindly what Jetty sends to it, the user should be well aware of the security implications and must provide the right authentication layer him / her self :)
Updated by Benoît PECCATTE almost 7 years ago
- Status changed from Discussion to New
- Assignee deleted (
Jonathan CLARKE)
Updated by Alexis Mousset about 1 year ago
- Status changed from New to Rejected
- Regression set to No
PAM is not current trend, we nos support ldap+oidc, closing.