Forum OpenACS Q&A: Using Linux logins for OACS

Posted by Tom Gwozdz on

I would like to have a Linux machine running OACS, and have each user
on the Linux machine automatically have a login for the OACS site, and
for the two to be synchronized.  Is something like this possible?


Posted by Jonathan Ellis on
it's possible, but it'd take a bunch of customization.  first, by default, oacs logins are keyed by email address, so you'd have to change that.  second, you'd have to write scripts to add users to linux when they are added to oacs.  (this is easier than the other way around.)
Posted by Matthew Geddert on
writing the script to log email addresses could be reasonably easy. If all of these users are going to have an account on this server anyways, you could simply create a box that lets you add a username, and have that entered into the linux box via pushing that command to the operating system. Then, before entering the username into the database you could simply append mailto:""; to the username, and presto you are still using email addresses as the primary key. The way to keep passwords synchornized could be a bit difficult, especially if you are using encrypted passwords. If you are just using plain text passwords on your system it would be much easier. Sadly this is a reasonably huge security hole if you have people telneting or sshing into your system... if you only want user accounts on your system in order to create email or samba accounts this is another matter... in this case only administrators would need shell access.
Posted by Talli Somekh on
We recently did this for a client who wanted their email passwords on a linux box to be synched with the OACS intranet. I'm not up on the actual implementation, but I know that LDAP was used, I think the AOLserver LDAP module in fact.

I'll try and get more info on this.


Posted by Sean Redmond on
We're the client Talli mentioned. What we did took a lot of customization and our situation is not as straightforward as yours but basically we set up an LDAP directory and a custom login page that ignores ACS passwords but gets them instead from the directory via ns_ldap. This also involved creating (well, finding and copying) a TCL procedure to handle SSHA encryption for the passwords since that seemed to be what OpenLDAP wanted to use.

We aren't using LDAP for user authentication (i.e. pam_ldap) since users never log in to that particular server directly, but that would be the simplest way to keep things down to one password. We use psynch to synchronize our passwords over several Windows and Linux systems, so I just customized the psynch script to run both passwd and ldappasswd for every synchronization.

I also wrote a script for adding users that creates both the Unix accounts and LDAP entries. If you provided the right information you could have the script create the user in your ACS database as well, though what I did was create a custom 'add user' page for our ACS installation that searches the LDAP directory for accounts that don't yet exist in ACS, it then offers them as options on a drop-down menu. You pick the one you want and goes on to the usual 'add user' page with as much information as possible filled in from LDAP.

It does take a lot of customization but once you have ns_ldap set up, you can use your LDAP data however you need to.

Sean Redmond