View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008012 | mantisbt | authentication | public | 2007-05-24 08:05 | 2008-01-06 05:52 |
Reporter | troglobit | Assigned To | |||
Priority | normal | Severity | feature | Reproducibility | N/A |
Status | new | Resolution | open | ||
Summary | 0008012: Consider supporting Linux-PAM for authentication | ||||
Description | To ease integration on Linux/UNIX-based servers it would be really useful to support PAM -- Pluggable Authentication Modules. For more information see: http://www.kernel.org/pub/linux/libs/pam/ Many sites use a hybrid system, in which the user accounts are administered on a Windows ADS. The Linux/UNIX servers use winbind+pam-kerberos to connect to the ADS and later use PAM for authentication of public services. | ||||
Additional Information | I found this on the phpWebNotes Mantis: http://www.futureware.biz/mantis/view.php?id=82 | ||||
Tags | No tags attached. | ||||
I have considered this, and was working on a proof of concept. It uses the PECL php package PAM (http://pecl.php.net/package/PAM) Things that needed to be considered: Detecting if the user is built in and if not falling back to the conventional user table. An indication in the user table needs to be defined to indicate if the user is built in to the PAM system or fall back to Mantis When adding new users not allow user name/id collision. What should be done in the other direction when a user exists in Mantis and the system back end has a new user that collides? Prevent any indication of built in users for user name harvesting or bruit force password speculation. |
|
Very interesting, personally I was just looking for a way to allow already existing shell users on a UNIX-server -- not managing both shell AND mantis-only users. To that end I was considering implementing only the very basic PAM support - i.e. authentication. E.g. by looking for, or providing a copy of, http://www.math.ohio-state.edu/~ccunning/pam_auth/ Our system is go for launch in September, so I only have August (when I return from vacation) to fix this. So I'll likely go for a quick and simple solution. When that is done I will post it here. |
|
Hi, just wanted to check back in with some news, or rather lack of. The deployment of our new server has been stalled, so I have yet to do any serious work on this issue. But I stumbled upon 0003619 today, so maybe it is easier to just add generic Apache mod_auth support? Some news though: I've actually made mod_auth_pam work with both Subversion and TWiki, so how hard could it be to activate it in Mantis? |
|
Yes! With some magic Winbind setup[1] I've managed to authenticate Mantis against our Active Directory server. I used mod_auth_pam in Apache2 using BASIC_AUTH, see issue 0003619 for details on patching Mantis v1.1.0. This actually does it for me, so any developer reading this can close this issue now. For Apache2 you need to perform the following steps (in Debian/Ubuntu) to get it to work properly:
[1] - The setup I used http://vmlinux.org/foswiki/bin/view/Main/JoinWindowsDomain Updated 2010-03-15: Correcting the wiki link. Regards! --Joachim |
|