View Issue Details

IDProjectCategoryView StatusLast Update
0008012mantisbtauthenticationpublic2008-01-06 05:52
Reportertroglobit Assigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status newResolutionopen 
Summary0008012: Consider supporting Linux-PAM for authentication
Description

To ease integration on Linux/UNIX-based servers it would be really useful to support PAM -- Pluggable Authentication Modules.

For more information see: http://www.kernel.org/pub/linux/libs/pam/

Many sites use a hybrid system, in which the user accounts are administered on a Windows ADS. The Linux/UNIX servers use winbind+pam-kerberos to connect to the ADS and later use PAM for authentication of public services.

Additional Information

I found this on the phpWebNotes Mantis: http://www.futureware.biz/mantis/view.php?id=82

TagsNo tags attached.

Relationships

related to 0004235 closedvboctor Support Generic Authentication through Plug-ins 

Activities

DGtlRift

DGtlRift

2007-07-03 11:41

reporter   ~0014858

I have considered this, and was working on a proof of concept. It uses the PECL php package PAM (http://pecl.php.net/package/PAM)

Things that needed to be considered:
Auto detecting if the module is installed and working to prevent misconfiguration of the mantis installation.

Detecting if the user is built in and if not falling back to the conventional user table. An indication in the user table needs to be defined to indicate if the user is built in to the PAM system or fall back to Mantis

When adding new users not allow user name/id collision.

What should be done in the other direction when a user exists in Mantis and the system back end has a new user that collides?

Prevent any indication of built in users for user name harvesting or bruit force password speculation.

troglobit

troglobit

2007-07-03 20:42

reporter   ~0014861

Very interesting, personally I was just looking for a way to allow already existing shell users on a UNIX-server -- not managing both shell AND mantis-only users.

To that end I was considering implementing only the very basic PAM support - i.e. authentication. E.g. by looking for, or providing a copy of, http://www.math.ohio-state.edu/~ccunning/pam_auth/

Our system is go for launch in September, so I only have August (when I return from vacation) to fix this. So I'll likely go for a quick and simple solution. When that is done I will post it here.

troglobit

troglobit

2007-10-10 14:44

reporter   ~0015843

Last edited: 2007-10-10 14:47

Hi, just wanted to check back in with some news, or rather lack of. The deployment of our new server has been stalled, so I have yet to do any serious work on this issue. But I stumbled upon 0003619 today, so maybe it is easier to just add generic Apache mod_auth support?

Some news though: I've actually made mod_auth_pam work with both Subversion and TWiki, so how hard could it be to activate it in Mantis?

troglobit

troglobit

2008-01-06 05:52

reporter   ~0016564

Last edited: 2010-03-15 08:58

Yes!

With some magic Winbind setup[1] I've managed to authenticate Mantis against our Active Directory server. I used mod_auth_pam in Apache2 using BASIC_AUTH, see issue 0003619 for details on patching Mantis v1.1.0.

This actually does it for me, so any developer reading this can close this issue now.

For Apache2 you need to perform the following steps (in Debian/Ubuntu) to get it to work properly:

  • Make www-data (Apache user) member of the shadow group,
    use 'sudo vigr' otherwise Apache cannot use PAM...
  • Add the following to you Mantis .htpasswd or Apache2
    site conf file, ymmv:

    Auth PAM - Winbind

    AuthPAM_Enabled on
    AuthName "Enter your Company Domain Login Credentials"
    AuthType Basic

    Workaround for Apache >2.1

    AuthBasicAuthoritative off

    No hanky panky

    require valid-user

[1] - The setup I used http://vmlinux.org/foswiki/bin/view/Main/JoinWindowsDomain

Updated 2010-03-15: Correcting the wiki link. Regards! --Joachim