Project

General

Profile

Actions

User story #6230

closed

Proposal: PAM authentication

Added by Dennis Cabooter almost 10 years ago. Updated about 1 year ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Web - Maintenance
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:
No

Description

Rudder is almost our only web application that has local authentication only. Most of our other web applications talk to PAM or have the ability to set authentication to HTTP auth, and then Apache talks to PAM by using htaccess. That's how Zabbix does it; it has the possibility to set authentication to HTTP auth. In our case PAM is configured to talk to winbind, which then talks to Active Directory. And, as a side note, IMHO it would be nice to the users to move auth configuration to the web application.


Related issues 1 (0 open1 closed)

Has duplicate Rudder - User story #7147: Can Rudder Jetty talk AD?Rejected2015-08-31Actions
Actions #1

Updated by François ARMAND almost 10 years ago

  • Subject changed from Proposal: more advanced authentication to Proposal: PAM authentication
  • Target version changed from 2.11.7 to 3.1.0~beta1

Denis,

You can't use PAM authentication for now (but patches or sponsored dev are welcomed!).
Nonetheless, you can use LDAP/Active Directory authentication: http://www.rudder-project.org/rudder-doc-2.11/rudder-doc.html#ldap-auth-provider.
The authorization are still to be configured locally, of course.

And, as a side note, IMHO it would be nice to the users to move auth configuration to the web application.

It's something we need to do, yes.

Actions #2

Updated by Benoît PECCATTE over 9 years ago

Using pam may be a bit difficult since authentication is done within the scala application.
Moreover, authenticating on a web application with local user seems a bit weird to me.

Actions #3

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Actions #4

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0~rc1 to 3.1.0
Actions #5

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.0 to 3.1.1
Actions #6

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 3.1.1 to 3.1.2
Actions #7

Updated by Jonathan CLARKE over 9 years ago

  • Target version changed from 3.1.2 to Ideas (not version specific)
Actions #8

Updated by Matthieu CERDA about 9 years ago

Actions #9

Updated by Matthieu CERDA about 9 years ago

I guess we should do what SSO-enabled applications do: give the possibility in the application to use the HTTP REMOTE_USER variable, delegating the task of authenticating the user to the application server or an upper layer (like Apache).

Obviously, special warning should be issued to the user: In this mode, Rudder will trust blindly what Jetty sends to it, the user should be well aware of the security implications and must provide the right authentication layer him / her self :)

Actions #10

Updated by Benoît PECCATTE almost 7 years ago

  • Status changed from Discussion to New
  • Assignee deleted (Jonathan CLARKE)
Actions #11

Updated by Alexis Mousset about 1 year ago

  • Status changed from New to Rejected
  • Regression set to No

PAM is not current trend, we nos support ldap+oidc, closing.

Actions

Also available in: Atom PDF