[Twisted-web] Nevow, guard and PAM

Phil Mayers p.mayers at imperial.ac.uk
Mon Oct 24 15:53:51 MDT 2005


A common requirement (I imagine) is to hook Nevow/Guard authentication 
out to system auth; even more commonly PAM, though maybe not. This is a 
relatively straightforward recipie that works for me. See:

http://deadbeefbabe.org/paste/1939

Basically, a Cred checker for IUsernamePassword is written; it writes 
the u/p down the unix socket to Cyrus SASLs "saslauthd", and callbacks 
or errbacks a deferred as appropriate.

My RHEL3 box has:

/etc/sysconfig/saslauthd::

FLAGS="-c -n 0"
MECH="pam"

...and /etc/pam.d/MYSERVICE:

#%PAM-1.0
auth       required     /lib/security/$ISA/pam_krb5.so no_user_check
account    required     /lib/security/$ISA/pam_permit.so
password   required     /lib/security/$ISA/pam_permit.so
session    required     /lib/security/$ISA/pam_permit.so

...Kerberos being used to hand off to AD.

There's also some code in there to handle jumping "straight in" to a 
guarded hiearchy; specifically the locateChild and data_misc / 
"form(action=T.slot('action'))" idiom. I *think* this is right, but may 
not be completely general. I'd appreciate comments.



More information about the Twisted-web mailing list