Pam unix vs. pam ldap
From Brandonhutchinson.com
(Difference between revisions)
(→pam_unix) |
|||
| Line 17: | Line 17: | ||
What happens next? | What happens next? | ||
| + | |||
| + | ==== pam_unix ==== | ||
| + | |||
| + | *An LDAP search is performed in the '''ou=people''' container for an entry that contains '''objectClass=shadowAccount''' and '''uid=user'''. The search base is the value of '''NS_LDAP_SEARCH_BASEDN''' from '''/var/ldap/ldap_client_file'''. | ||
| + | * If | ||
| + | |||
=== pam_ldap === | === pam_ldap === | ||
Revision as of 21:29, 14 December 2007
Contents |
pam_unix
- The userPassword attribute must be non-null
- The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) must have read and search privileges for the userPassword attribute
- ldaplist -l passwd will return all password hashes, similar to ypcat passwd in a NIS environment
- Requires passwords to be stored in {crypt} format on the LDAP server
pam_ldap
- The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) does not need read and search privileges for the userPassword attribute
Walkthrough
A user attempts to login to a host using ssh and is prompted for a password.
$ ssh user@host Password:
What happens next?
pam_unix
- An LDAP search is performed in the ou=people container for an entry that contains objectClass=shadowAccount and uid=user. The search base is the value of NS_LDAP_SEARCH_BASEDN from /var/ldap/ldap_client_file.
- If
pam_ldap
- The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) does not need read and search privileges for the userPassword attribute
$ ssh user@host $ Password:
What happens next?
