[Twisted-web] Nevow, guard and PAM
Phil Mayers
p.mayers at imperial.ac.uk
Mon Oct 24 15:53:51 MDT 2005
A common requirement (I imagine) is to hook Nevow/Guard authentication
out to system auth; even more commonly PAM, though maybe not. This is a
relatively straightforward recipie that works for me. See:
http://deadbeefbabe.org/paste/1939
Basically, a Cred checker for IUsernamePassword is written; it writes
the u/p down the unix socket to Cyrus SASLs "saslauthd", and callbacks
or errbacks a deferred as appropriate.
My RHEL3 box has:
/etc/sysconfig/saslauthd::
FLAGS="-c -n 0"
MECH="pam"
...and /etc/pam.d/MYSERVICE:
#%PAM-1.0
auth required /lib/security/$ISA/pam_krb5.so no_user_check
account required /lib/security/$ISA/pam_permit.so
password required /lib/security/$ISA/pam_permit.so
session required /lib/security/$ISA/pam_permit.so
...Kerberos being used to hand off to AD.
There's also some code in there to handle jumping "straight in" to a
guarded hiearchy; specifically the locateChild and data_misc /
"form(action=T.slot('action'))" idiom. I *think* this is right, but may
not be completely general. I'd appreciate comments.
More information about the Twisted-web
mailing list