From owner-freebsd-hackers@FreeBSD.ORG  Thu Nov 27 01:37:55 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7895716A4CF
	for <freebsd-hackers@freebsd.org>;
	Thu, 27 Nov 2003 01:37:55 -0800 (PST)
Received: from heron.mail.pas.earthlink.net (heron.mail.pas.earthlink.net
	[207.217.120.189])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B925343FDD
	for <freebsd-hackers@freebsd.org>;
	Thu, 27 Nov 2003 01:37:54 -0800 (PST)
	(envelope-from tlambert2@mindspring.com)
Received: from user-38lc14c.dialup.mindspring.com ([209.86.4.140]
	helo=mindspring.com)
	by heron.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128)
	(Exim 3.33 #1)	id 1APIav-0006Ii-00; Thu, 27 Nov 2003 01:37:53 -0800
Message-ID: <3FC5A349.3FCA4DE9@mindspring.com>
Date: Wed, 26 Nov 2003 23:10:01 -0800
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.79 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Clifton Royston <cliftonr@tikitechnologies.com>
References: <20031126200101.8B45116A4D0@hub.freebsd.org>
	<20031126112014.C8040@tikitechnologies.com>
ConteX-Mozilla-Status: 0009harset=us-ascii
Content-Transfer-Encoding: 7bit
X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a47de339922189b2d1391a49eed8547b63a8438e0f32a48e08350badd9bab72f9c350badd9bab72f9c
cc: freebsd-hackers@freebsd.org
Subject: Re: getpwnam with md5 encrypted passwds
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2003 09:37:55 -0000

Clifton Royston wrote:
>   If you will need to do authentication after your program drops
> privileges, your best course is probably to go through PAM, to install
> a separate daemon which implements a PAM-supported protocol and which
> runs with privileges, and then to enable that protocol as a PAM
> authentication method for your application.

[ ... RADIUS example with LDAP mention ... ]

Sounds like a good approach, though I'll point out that had
you tried LDP, you would have been hard-put to use LDAP as a
proxy protocol to another authentication base (a PAM backend
for an LDAP server, while not quite impossible, would be very
hard).

How did you avoid the recursion problem of the RADIUS server
trying to authenticate via pam_radius to the RADIUS server
tyring to authenticate ...

-- Terry?