Pam unix vs. pam ldap
From Brandonhutchinson.com
(Difference between revisions)
(→''pam_ldap'') |
|||
| (7 intermediate revisions not shown.) | |||
| Line 1: | Line 1: | ||
| - | == | + | == Overview == |
| - | + | The following notes list some differences between ''pam_unix'' and ''pam_ldap'' authentication. | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | == | + | == ''pam_unix'' == |
| - | * The proxy agent (e.g., | + | With ''pam_unix'': |
| + | * The ''userPassword'' attribute must be non-null. | ||
| + | * Passwords must be stored in ''{crypt}'' format on the LDAP server. | ||
| + | * The proxy agent (e.g., ''cn=proxyagent,ou=profile,dc=example,dc=com'') must have read and search privileges for the ''userPassword'' attribute. | ||
| + | * '''ldaplist -l passwd''' will return all password hashes, similar to '''ypcat passwd''' in a NIS environment. | ||
| + | * The entered password is not sent to the LDAP server. | ||
| + | * The default ''/etc/pam.conf'' file is configured for ''pam_unix'' (at least on Solaris 8). | ||
| + | * ''pam_unix'' will not support the LDAP server's password policy controls (e.g., password syntax checking, account lockout, forced password change after reset, etc.). | ||
| - | + | Given the severe limitation of '''ldaplist -l password''' returning all password hashes, ''pam_ldap'' should be used if possible. | |
| - | A user attempts to login to a host using ssh and is prompted for a password | + | == ''pam_ldap'' == |
| + | |||
| + | With ''pam_ldap'': | ||
| + | * The proxy agent (e.g., ''cn=proxyagent,ou=profile,dc=example,dc=com'') does not need read and search privileges for the ''userPassword'' attribute. | ||
| + | * If the LDAP server is properly configured, '''ldaplist -l passwd''' will not return all user password hashes. | ||
| + | * The entered password is sent to the LDAP server, so encryption (e.g., TLS:Simple) should be used. | ||
| + | * The default ''/etc/pam.conf'' will have to be modified. | ||
| + | ** [http://docs.sun.com/app/docs/doc/806-4077/6jd6blbg4?a=view An example pam.conf file for pam_ldap (Solaris 8 and 9)] | ||
| + | ** [http://docs.sun.com/app/docs/doc/816-4556/6maort2u1?a=view An example pam.conf file for pam_ldap (Solaris 10)] | ||
| + | * ''pam_ldap'' supports the LDAP server's password policy controls (e.g., password syntax checking, account lockout, forced password change after reset, etc.). | ||
| + | |||
| + | == Authentication walk-through == | ||
| + | |||
| + | A user attempts to login to a host using ''ssh'' and is prompted for a password: | ||
$ '''ssh user@host''' | $ '''ssh user@host''' | ||
Password: | Password: | ||
| Line 18: | Line 35: | ||
What happens next? | What happens next? | ||
| - | === | + | === ''pam_unix'' === |
| + | With ''pam_unix'': | ||
| + | * An LDAP search is performed in the ''ou=people'' container for an entry that contains ''objectClass=shadowAccount'' and ''uid=user''. The search base is the value of ''NS_LDAP_SEARCH_BASEDN'' from ''/var/ldap/ldap_client_file''. | ||
| + | * If an entry is found, the password specified on the command line is hashed with ''crypt()'' and compared with the ''userPassword'' attribute. If the values match, the user is authenticated. | ||
| - | *An LDAP search is performed in the | + | === ''pam_ldap'' === |
| - | * If | + | With ''pam_ldap'': |
| - | + | * An LDAP search is performed in the ''ou=people'' container for an entry that contains ''object=posixAccount'' and ''uid=user''. The search base is the value of ''NS_LDAP_SEARCH_BASEDN'' from ''/var/ldap/ldap_client_file''. | |
| - | + | * If an entry is found, the client attempts to bind to the LDAP server using the Distinguished Name (DN) (e.g., uid=user,ou=people,dc=example,dc=com) and password specified on the command line. If the client is able to bind, the user is authenticated. | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
Current revision
Contents |
Overview
The following notes list some differences between pam_unix and pam_ldap authentication.
pam_unix
With pam_unix:
- The userPassword attribute must be non-null.
- Passwords must be stored in {crypt} format on the LDAP server.
- The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) must have read and search privileges for the userPassword attribute.
- ldaplist -l passwd will return all password hashes, similar to ypcat passwd in a NIS environment.
- The entered password is not sent to the LDAP server.
- The default /etc/pam.conf file is configured for pam_unix (at least on Solaris 8).
- pam_unix will not support the LDAP server's password policy controls (e.g., password syntax checking, account lockout, forced password change after reset, etc.).
Given the severe limitation of ldaplist -l password returning all password hashes, pam_ldap should be used if possible.
pam_ldap
With pam_ldap:
- The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) does not need read and search privileges for the userPassword attribute.
- If the LDAP server is properly configured, ldaplist -l passwd will not return all user password hashes.
- The entered password is sent to the LDAP server, so encryption (e.g., TLS:Simple) should be used.
- The default /etc/pam.conf will have to be modified.
- pam_ldap supports the LDAP server's password policy controls (e.g., password syntax checking, account lockout, forced password change after reset, etc.).
Authentication walk-through
A user attempts to login to a host using ssh and is prompted for a password:
$ ssh user@host Password:
What happens next?
pam_unix
With pam_unix:
- An LDAP search is performed in the ou=people container for an entry that contains objectClass=shadowAccount and uid=user. The search base is the value of NS_LDAP_SEARCH_BASEDN from /var/ldap/ldap_client_file.
- If an entry is found, the password specified on the command line is hashed with crypt() and compared with the userPassword attribute. If the values match, the user is authenticated.
pam_ldap
With pam_ldap:
- An LDAP search is performed in the ou=people container for an entry that contains object=posixAccount and uid=user. The search base is the value of NS_LDAP_SEARCH_BASEDN from /var/ldap/ldap_client_file.
- If an entry is found, the client attempts to bind to the LDAP server using the Distinguished Name (DN) (e.g., uid=user,ou=people,dc=example,dc=com) and password specified on the command line. If the client is able to bind, the user is authenticated.
