User story #6230
closed
Proposal: PAM authentication
Added by Dennis Cabooter about 9 years ago.
Updated 8 months ago.
Category:
Web - Maintenance
Description
Rudder is almost our only web application that has local authentication only. Most of our other web applications talk to PAM or have the ability to set authentication to HTTP auth, and then Apache talks to PAM by using htaccess. That's how Zabbix does it; it has the possibility to set authentication to HTTP auth. In our case PAM is configured to talk to winbind, which then talks to Active Directory. And, as a side note, IMHO it would be nice to the users to move auth configuration to the web application.
- Subject changed from Proposal: more advanced authentication to Proposal: PAM authentication
- Target version changed from 2.11.7 to 3.1.0~beta1
Denis,
You can't use PAM authentication for now (but patches or sponsored dev are welcomed!).
Nonetheless, you can use LDAP/Active Directory authentication: http://www.rudder-project.org/rudder-doc-2.11/rudder-doc.html#ldap-auth-provider.
The authorization are still to be configured locally, of course.
And, as a side note, IMHO it would be nice to the users to move auth configuration to the web application.
It's something we need to do, yes.
Using pam may be a bit difficult since authentication is done within the scala application.
Moreover, authenticating on a web application with local user seems a bit weird to me.
- Target version changed from 3.1.0~beta1 to 3.1.0~rc1
- Target version changed from 3.1.0~rc1 to 3.1.0
- Target version changed from 3.1.0 to 3.1.1
- Target version changed from 3.1.1 to 3.1.2
- Target version changed from 3.1.2 to Ideas (not version specific)
I guess we should do what SSO-enabled applications do: give the possibility in the application to use the HTTP REMOTE_USER variable, delegating the task of authenticating the user to the application server or an upper layer (like Apache).
Obviously, special warning should be issued to the user: In this mode, Rudder will trust blindly what Jetty sends to it, the user should be well aware of the security implications and must provide the right authentication layer him / her self :)
- Status changed from Discussion to New
- Assignee deleted (
Jonathan CLARKE)
- Status changed from New to Rejected
- Regression set to No
PAM is not current trend, we nos support ldap+oidc, closing.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by Matthieu CERDA 
Updated by