Possible to run an IdP from /etc/passwd or NIS?

[Cantor, Scott]

On 3/7/14, 5:31 PM, "Phil Gold" <phil at cs.jhu.edu> wrote:
>
>The documentation[0] only mentions UnixLoginModule supporting the `debug`
>option, so I don't think there's a lot of room for using the options
>incorrectly.  On top of that, I found a number of places online (e.g. [1],
>[2]) that seemed to indicate that it doesn't actually do any
>authentication.

Heh, that's an interesting definition of JAAS module, then. Maybe it's
just for collecting up roles, in which case it might address your other
use case?

>>That's really totally out of scope of anything we support
>
>Yeah, I figured.  We have plans to move to something involving LDAP
>eventually, but I've been asked to get the IdP working on a much shorter
>timetable.  :-/

Well, I didn't mean we don't support that but do support some other JAAS
module, literally we stop at the JAAS layer and the rest is up to who's
supplying the JAAS module.

V3 will have native login code for LDAP and hopefully Kerb, and that would
be "supported" in the usual sense, whereas we'll also have JAAS and
continue to defer support for the modules themselves to their authors.

This is all formal-speak. I'm just saying we don't test with any
particular JAAS modules or guarantee compatibility with them.

>I think I can get something working with HTTP basic auth,
>mod_authnz_external and the RemoteUser handler, but HTTP basic auth leaves
>a lot to be desired in the user experience department.

There are some options with Apache 2.4 and forms auth via cookies I think.
I don't swear to it.

>I should be able to get everything working well enough for our purposes,
>one way or the other, but I wanted to make sure I wasn't missing anything
>in what Shibboleth has available already.

No, very little in this regard.

-- Scott