Pam unix vs. pam ldap
From Brandonhutchinson.com
(Difference between revisions)
| Line 1: | Line 1: | ||
| - | === pam_unix === | + | == Overview == |
| + | |||
| + | The following notes list some differences between ''pam_unix'' and ''pam_ldap'' authentication. | ||
| + | |||
| + | == ''pam_unix'' == | ||
| + | |||
| + | With ''pam_unix'': | ||
| + | * The ''userPassword'' attribute must be non-null. | ||
| + | * Passwords must be stored in ''{crypt}'' format on the LDAP server. | ||
| + | * The proxy agent (e.g., ''cn=proxyagent,ou=profile,dc=example,dc=com'') must have read and search privileges for the '''userPassword''' attribute. | ||
| + | * '''ldaplist -l passwd''' will return all password hashes, similar to '''ypcat passwd''' in a NIS environment. | ||
| + | * The entered password is not sent to the LDAP server. | ||
| + | |||
| - | * The '''userPassword''' attribute must be non-null | ||
| - | * The proxy agent (e.g., '''cn=proxyagent,ou=profile,dc=example,dc=com''') must have read and search privileges for the '''userPassword''' attribute | ||
| - | * '''ldaplist -l passwd''' will return all password hashes, similar to '''ypcat passwd''' in a NIS environment | ||
| - | * Requires passwords to be stored in '''{crypt}''' format on the LDAP server | ||
=== pam_ldap === | === pam_ldap === | ||
| - | * The proxy agent (e.g., '''cn=proxyagent,ou=profile,dc=example,dc=com''') does not need read and search privileges for the '''userPassword''' attribute | + | * The proxy agent (e.g., '''cn=proxyagent,ou=profile,dc=example,dc=com''') does not need read and search privileges for the '''userPassword''' attribute. |
| + | * The entered password is sent to the LDAP server, so encryption should be used. | ||
| + | * If the LDAP server is properly configured, '''ldaplist -l passwd''' will not return all user password hashes. | ||
=== Walkthrough === | === Walkthrough === | ||
| Line 21: | Line 31: | ||
*An LDAP search is performed in the '''ou=people''' container for an entry that contains '''objectClass=shadowAccount''' and '''uid=user'''. The search base is the value of '''NS_LDAP_SEARCH_BASEDN''' from '''/var/ldap/ldap_client_file'''. | *An LDAP search is performed in the '''ou=people''' container for an entry that contains '''objectClass=shadowAccount''' and '''uid=user'''. The search base is the value of '''NS_LDAP_SEARCH_BASEDN''' from '''/var/ldap/ldap_client_file'''. | ||
| - | * If | + | * If an entry is found, the value of the '''userPassword''' attribute is compared with the password specified on the command line. If the values match, the user is authenticated. |
| + | ==== pam_ldap ==== | ||
| - | === | + | * An LDAP search is performed in the '''ou=people''' container for an entry that contains '''object=posixAccount''' and '''uid=user'''. The search base is the value of '''NS_LDAP_SEARCH_BASEDN''' from '''/var/ldap/ldap_client_file'''. |
| - | + | * If an entry is found, the client attempts to bind to the LDAP server using the Distinguished Name (DN) (e.g., uid=user,ou=people,dc=example,dc=com) and password specified on the command line. If the client is able to bind, the user is authenticated. | |
| - | * | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
Revision as of 21:38, 14 December 2007
Contents |
Overview
The following notes list some differences between pam_unix and pam_ldap authentication.
pam_unix
With pam_unix:
- The userPassword attribute must be non-null.
- Passwords must be stored in {crypt} format on the LDAP server.
- The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) must have read and search privileges for the userPassword attribute.
- ldaplist -l passwd will return all password hashes, similar to ypcat passwd in a NIS environment.
- The entered password is not sent to the LDAP server.
pam_ldap
- The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) does not need read and search privileges for the userPassword attribute.
- The entered password is sent to the LDAP server, so encryption should be used.
- If the LDAP server is properly configured, ldaplist -l passwd will not return all user password hashes.
Walkthrough
A user attempts to login to a host using ssh and is prompted for a password.
$ ssh user@host Password:
What happens next?
pam_unix
- An LDAP search is performed in the ou=people container for an entry that contains objectClass=shadowAccount and uid=user. The search base is the value of NS_LDAP_SEARCH_BASEDN from /var/ldap/ldap_client_file.
- If an entry is found, the value of the userPassword attribute is compared with the password specified on the command line. If the values match, the user is authenticated.
pam_ldap
- An LDAP search is performed in the ou=people container for an entry that contains object=posixAccount and uid=user. The search base is the value of NS_LDAP_SEARCH_BASEDN from /var/ldap/ldap_client_file.
- If an entry is found, the client attempts to bind to the LDAP server using the Distinguished Name (DN) (e.g., uid=user,ou=people,dc=example,dc=com) and password specified on the command line. If the client is able to bind, the user is authenticated.
