Project

General

Profile

Actions
Copy link

User story #6230

closed

Proposal: PAM authentication

Added by Dennis Cabooter about 9 years ago. Updated 8 months ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Web - Maintenance
Target version:
Ideas (not version specific)
Pull Request:
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:
No

Description

Rudder is almost our only web application that has local authentication only. Most of our other web applications talk to PAM or have the ability to set authentication to HTTP auth, and then Apache talks to PAM by using htaccess. That's how Zabbix does it; it has the possibility to set authentication to HTTP auth. In our case PAM is configured to talk to winbind, which then talks to Active Directory. And, as a side note, IMHO it would be nice to the users to move auth configuration to the web application.

Related issues 1 (0 open1 closed)

Has duplicate Rudder - User story #7147: Can Rudder Jetty talk AD?Rejected2015-08-31Actions
Actions
Copy link
 #1

Updated by François ARMAND about 9 years ago

  • Subject changed from Proposal: more advanced authentication to Proposal: PAM authentication
  • Target version changed from 2.11.7 to 3.1.0~beta1

Denis,

You can't use PAM authentication for now (but patches or sponsored dev are welcomed!).
Nonetheless, you can use LDAP/Active Directory authentication: http://www.rudder-project.org/rudder-doc-2.11/rudder-doc.html#ldap-auth-provider.
The authorization are still to be configured locally, of course.

And, as a side note, IMHO it would be nice to the users to move auth configuration to the web application.

It's something we need to do, yes.

Actions
Copy link
 #2

Updated by Benoît PECCATTE almost 9 years ago

Using pam may be a bit difficult since authentication is done within the scala application.
Moreover, authenticating on a web application with local user seems a bit weird to me.

Actions
Copy link
 #3

Updated by Vincent MEMBRÉ almost 9 years ago

  • Target version changed from 3.1.0~beta1 to 3.1.0~rc1
Actions
Copy link
 #4

Updated by Vincent MEMBRÉ almost 9 years ago

  • Target version changed from 3.1.0~rc1 to 3.1.0
Actions
Copy link
 #5

Updated by Vincent MEMBRÉ almost 9 years ago

  • Target version changed from 3.1.0 to 3.1.1
Actions
Copy link
 #6

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 3.1.1 to 3.1.2
Actions
Copy link
 #7

Updated by Jonathan CLARKE over 8 years ago

  • Target version changed from 3.1.2 to Ideas (not version specific)
Actions
Copy link
 #8

Updated by Matthieu CERDA over 8 years ago

Actions
Copy link
 #9

Updated by Matthieu CERDA over 8 years ago

I guess we should do what SSO-enabled applications do: give the possibility in the application to use the HTTP REMOTE_USER variable, delegating the task of authenticating the user to the application server or an upper layer (like Apache).

Obviously, special warning should be issued to the user: In this mode, Rudder will trust blindly what Jetty sends to it, the user should be well aware of the security implications and must provide the right authentication layer him / her self :)

Actions
Copy link
 #10

Updated by Benoît PECCATTE about 6 years ago

  • Status changed from Discussion to New
  • Assignee deleted (Jonathan CLARKE)
Actions
Copy link
 #11

Updated by Alexis Mousset 8 months ago

  • Status changed from New to Rejected
  • Regression set to No

PAM is not current trend, we nos support ldap+oidc, closing.

Actions
Copy link

Also available in: Atom PDF