Pam unix vs. pam ldap

(Difference between revisions)

Revision as of 21:23, 14 December 2007

The userPassword attribute must be non-null
The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) must have read and search privileges for the userPassword attribute
ldaplist -l passwd will return all password hashes, similar to ypcat passwd in a NIS environment
Requires passwords to be stored in {crypt} format on the LDAP server

The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) does not need read and search privileges for the userPassword attribute

A user attempts to login to a host using ssh and is prompted for a password.

$ ssh user@host
Password:

What happens next?

The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) does not need read and search privileges for the userPassword attribute

$ ssh user@host
$ Password:

What happens next?

@@ Line 2: / Line 2: @@
 * The '''userPassword''' attribute must be non-null
-* The proxy agent (e.g., '''cn=proxyagent,ou=profile,dc=example,dc=com''') must have read and search privileges for the '''userPassword''' attribute; i.e., '''ldaplist -l passwd''' will return all password hashes, similar to '''ypcat passwd''' in a NIS environment
+* The proxy agent (e.g., '''cn=proxyagent,ou=profile,dc=example,dc=com''') must have read and search privileges for the '''userPassword''' attribute
+* '''ldaplist -l passwd''' will return all password hashes, similar to '''ypcat passwd''' in a NIS environment
 * Requires passwords to be stored in '''{crypt}''' format on the LDAP server
+=== pam_ldap ===
+* The proxy agent (e.g., '''cn=proxyagent,ou=profile,dc=example,dc=com''') does not need read and search privileges for the '''userPassword''' attribute
+=== Walkthrough ===
+A user attempts to login to a host using ssh and is prompted for a password.
+ $ '''ssh user@host'''
+ Password:
+What happens next?
 === pam_ldap ===