On Wed, 2011-08-03 at 15:40 +0100, Mark McLoughlin wrote:
Hi Dmitri,
On Fri, 2011-07-29 at 12:31 -0400, Dmitri Pal wrote:
> On 07/29/2011 11:58 AM, Martyn Taylor wrote:
> > Identity
> >
> > Goals
> > - support authentication against external LDAP
> > - provide authentication mechanism across aeolus components
> >
> > Conversation Topics
> >
> > * LDAP Support:
> >
> > * Conductor auth against LDAP with local DB Fallback
> >
> > * conductor first tries authenticate user against external LDAP
> > server. If user is found there, user account in local db is created
> > (except credentials) if it doesn't exist yet. If user is not found in
> > LDAP, local db is searched.
> >
>
> I wonder why reinvent the wheel. Can you use local pam stack for
> authentication
Using PAM is an interesting idea. It does make the app more complicated
to install and configure, though. And makes it less portable. Also, I
don't see much talk of Rails apps using PAM.
All that being said, though, it might be a good option for LDAP support
assuming we retain the option of using Conductor's DB as an identity
store.
Oh yes, as Simo pointed out, the other thing about PAM is that it
doesn't get us kerberos support - it's not a magic bullet on that front.
Cheers,
Mark.