Linux and pam_ldap (LDAP bind instead of search request)

From: Bernd Nies (bnies_at_bluewin.ch)
Date: 06/22/04

  • Next message: NewsGroups: "Re: uvscan dat file 4367 crash" 
    Date: 22 Jun 2004 08:16:17 -0700

    Hi,

    How can one authenticate on Linux using LDAP bind instead of search
    requests?

    By default a SuSE Linux 9.0 LDAP client uses pam_unix2.so with the
    "use_ldap" option in /etc/security/pam_unix2.conf. This configuration
    does a search request on the LDAP server to fetch the user's crypt
    userPassword attribute and compares that password with the encrypted
    password he entered.

    Solaris offers the option to use another LDAP authentication method:
    The client issues a LDAP bind request on the server with the user's
    credentials. This is better because then the password on the LDAP
    server can be stored with a stronger encryption (SSHA), the passwords
    on the LDAP server must not be readable by the client and account
    lockout can be controlled by a LDAP policy on the server.

    Sample Solaris /etc/pam.conf:
    -----------------------------
    login auth requisite pam_authtok_get.so.1
    login auth required pam_dhkeys.so.1
    login auth required pam_dial_auth.so.1
    login auth binding pam_unix_auth.so.1 server_policy
    login auth required pam_ldap.so.1

    How can this be done on Linux? I tried the pam_ldap.so module with the
    examples from /usr/share/doc/packages/pam_ldap and authentication
    works ... but still using the search request method.

    SuSE Linux 9.0 /etc/ldap.conf:
    ------------------------------
    host 192.168.5.216 192.168.1.216 192.168.4.216 192.168.6.216
    base o=company,c=ch
    ldap_version 3
    #ssl start_tls
    ssl no
    ### Bind DN for search requests
    binddn cn=proxyagent,ou=special_users,o=company,c=ch
    bindpw mypassword
    ### NSS search bases
    nss_base_passwd ou=people,o=company,c=ch
    nss_base_shadow ou=people,o=company,c=ch
    nss_base_group ou=group,o=company,c=ch
    nss_base_hosts ou=hosts,o=company,c=ch
    nss_base_services ou=services,o=adnovum,c=ch
    scope one

    SuSE Linux 9.0 /etc/pam.d/sshd:
    -------------------------------
    auth required pam_nologin.so
    auth sufficient pam_ldap.so
    auth required pam_unix2.so use_first_pass # set_secrpc
    account required pam_unix2.so
    password required pam_pwcheck.so
    password required pam_ldap.so use_authtok
    password required pam_unix2.so use_first_pass use_authtok
    session required pam_unix2.so
    session required pam_limits.so
    session required pam_env.so
    session optional pam_mail.so

    Thanks in advance for help.

    Regards,
    Bernd

  • Next message: NewsGroups: "Re: uvscan dat file 4367 crash"

    Relevant Pages

    • SUMMARY: How to authenticate a RHEL client to SunOne 5.2 Directory Server anybody done this???
      ... I got it working by running authconfig on the Linux client and selecting ... LDAP for the authentication. ... Is there anything on the LDAP server I should check?? ... # SSL enabled. ...
      (SunManagers)
    • Re: Antw: Re: LDAP Authentication Problem
      ... TLSv1 und wird auf einen SSL Client Hello Request mit TLSv1 nicht ... antworten anstatt ein SSLv3 Server Hello. ... the LDAP PAM module and the shadow package. ...
      (de.comp.sys.novell)
    • Re: Kerberized authorization service
      ... whereas the LDAP solution is already what they do. ... the mail server could have an shell group with one ... that the authorization decision is no longer truly centralized. ... Kerberized conduit for passing the data from the client to some backend ...
      (comp.protocols.kerberos)
    • Re: Kerberized authorization service
      ... whereas the LDAP solution is already what they do. ... the mail server could have an shell group with one ... While this could no doubt be made to work, it would tie the authorization ... This client and server could conceivably be created ...
      (comp.protocols.kerberos)
    • Re: Directory Server LDAP/LDIF import - working yet not working???
      ... >> changes the ldap schema AND changes some of you existing ldap objects, ... The default install of DS 5.2 is plain jane LDAP server. ... >> and all your client machines, and set it to something reasonable. ... >> impossible to use the native Solaris 9 ldap client without it set) ...
      (comp.unix.solaris)