Pam unix vs. pam ldap

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
(pam_unix)
(pam_unix)
Line 2: Line 2:
* The '''userPassword''' attribute must be non-null
* The '''userPassword''' attribute must be non-null
-
* The proxy agent (e.g., '''cn=proxyagent,ou=profile,dc=example,dc=com''') must have read and search privileges for the '''userPassword''' attribute; i.e., '''ldaplist -l passwd''' will return all password hashes, similar to '''ypcat passwd''' in a NIS environment
+
* The proxy agent (e.g., '''cn=proxyagent,ou=profile,dc=example,dc=com''') must have read and search privileges for the '''userPassword''' attribute
 +
* '''ldaplist -l passwd''' will return all password hashes, similar to '''ypcat passwd''' in a NIS environment
* Requires passwords to be stored in '''{crypt}''' format on the LDAP server
* Requires passwords to be stored in '''{crypt}''' format on the LDAP server
 +
 +
=== pam_ldap ===
 +
 +
* The proxy agent (e.g., '''cn=proxyagent,ou=profile,dc=example,dc=com''') does not need read and search privileges for the '''userPassword''' attribute
 +
 +
=== Walkthrough ===
 +
 +
A user attempts to login to a host using ssh and is prompted for a password.
 +
$ '''ssh user@host'''
 +
Password:
 +
 +
What happens next?
=== pam_ldap ===
=== pam_ldap ===

Revision as of 21:23, 14 December 2007

Contents

pam_unix

  • The userPassword attribute must be non-null
  • The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) must have read and search privileges for the userPassword attribute
  • ldaplist -l passwd will return all password hashes, similar to ypcat passwd in a NIS environment
  • Requires passwords to be stored in {crypt} format on the LDAP server

pam_ldap

  • The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) does not need read and search privileges for the userPassword attribute

Walkthrough

A user attempts to login to a host using ssh and is prompted for a password.

$ ssh user@host
Password:

What happens next?

pam_ldap

  • The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) does not need read and search privileges for the userPassword attribute



$ ssh user@host
$ Password:

What happens next?

Personal tools