Hi, my question about PAM, libscript... come from my idea: I would like to implement secondary passwords in very similar way like Google's application specific passwords works. [1]
We are using LDAP for centralized user management. Systems providing services to users are verified against this LDAP. Users are saving those passwords within mail clients, in workstation, in tablet, ... we would like to provide option to users to not store their main password within their clients. We would like to offer them alternative passwords working for email, calendar client and so on on specific device. In case of compromising one of devices - user will have only to revoke password for that device. In short. I want to users offer possibility to generate secondary passwords working for email, and so on. I expect them to create multiple passwords marked with some nickname, like: phone-email tablet-email phone-calendar and so on. Those passwords should work with standard LDAP bind but not necessarily on the same suffix and/or where primary LDAP is. We would like to split primary LDAP passwors used for financial and high trust applications from those serving email and calendar. How to do something like this with 389 DS? My idea is this: uid=semik,dc=neco objectClass: inetOrgPerson cn: Jan Tomasek sn: Tomasek uid: semik userPassword: {SSHA}... dc=12345,uid=semik,dc=neco objectClass: appPassword dc: 12345 password: some-generated-password1 passwordLabel: phone-email dc=12395,uid=semik,dc=neco objectClass: appPassword dc: 12395 password: some-generated-password2 passwordLabel: tablet-email dc=12399,uid=semik,dc=neco objectClass: appPassword dc: 12399 password: some-generated-password3 passwordLabel: phone-calendar I tried to implement this as PAM Pass through authentication. It works but it is very fragile. I'm looking for more robust and faster way. I know it is possible to do this with PreOperation Plugin but maybe there is some easier way. Or maybe already someone implemented such plugin. Any comments? Ideas? Thanks [1] https://support.google.com/accounts/answer/185833 -- ----------------------- Jan Tomasek aka Semik http://www.tomasek.cz/ -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users