"Andrew H. Chatham" <andrew.chatham@duke.edu> wrote:

I'm not sure if this is the right mailing list to ask (maybe zope-dev?), but here's what I'm trying to do. I need to authenticate potentially a very large number of people off of kerberos5. To my knowledge there's no krb5 userfolder or anything like that; I could write one, but it seems that it would be much more elegant and possibly easier to use some sort of PAM authentication and then just use a PAM-krb5 module.

But it doesn't seem like there's a PAM-Zope interface either, is there? Or am I just not seeing it? There seemed to be some discussion previously of how that would be a good idea, but I never sawa conclusion. If there is no such animal, I guess I'll write one. Is my impression that things are moving towards LoginManager plugins correct? Would that be the ideal place to put this kind of thing? Has anyone attempted to do much with this? I would imagine with the PyPAM module it wouldn't be terribly difficult, but I'd rather not duplicate effort if I don't have to.

A lot of the "common abstraction" benefits of using PAM are perhaps eclipsed by the much higher-level abstractions offered by the LoginManager product. I think the best approach would be to work with Phillip Eby and Ty Sarna (the developers of LoginManager) who are about to release an LDAP-enabled LM derivative. My guess is that writing a PAM/kerberos LM derivative will be a SMOP, given the LDAP version as a model (think, "writing an ethernet driver for Linux, for a NIC much like the 3C509"). Tres. -- ========================================================= Tres Seaver tseaver@digicool.com tseaver@palladion.com