Pam unix vs. pam ldap

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
Current revision (15:50, 17 December 2007) (edit) (undo)
(''pam_ldap'')
 
(6 intermediate revisions not shown.)
Line 8: Line 8:
* The ''userPassword'' attribute must be non-null.
* The ''userPassword'' attribute must be non-null.
* Passwords must be stored in ''{crypt}'' format on the LDAP server.
* Passwords must be stored in ''{crypt}'' format on the LDAP server.
-
* The proxy agent (e.g., ''cn=proxyagent,ou=profile,dc=example,dc=com'') must have read and search privileges for the '''userPassword''' attribute.
+
* The proxy agent (e.g., ''cn=proxyagent,ou=profile,dc=example,dc=com'') must have read and search privileges for the ''userPassword'' attribute.
* '''ldaplist -l passwd''' will return all password hashes, similar to '''ypcat passwd''' in a NIS environment.
* '''ldaplist -l passwd''' will return all password hashes, similar to '''ypcat passwd''' in a NIS environment.
* The entered password is not sent to the LDAP server.
* The entered password is not sent to the LDAP server.
 +
* The default ''/etc/pam.conf'' file is configured for ''pam_unix'' (at least on Solaris 8).
 +
* ''pam_unix'' will not support the LDAP server's password policy controls (e.g., password syntax checking, account lockout, forced password change after reset, etc.).
 +
Given the severe limitation of '''ldaplist -l password''' returning all password hashes, ''pam_ldap'' should be used if possible.
 +
== ''pam_ldap'' ==
-
=== pam_ldap ===
+
With ''pam_ldap'':
-
 
+
* The proxy agent (e.g., ''cn=proxyagent,ou=profile,dc=example,dc=com'') does not need read and search privileges for the ''userPassword'' attribute.
-
* The proxy agent (e.g., '''cn=proxyagent,ou=profile,dc=example,dc=com''') does not need read and search privileges for the '''userPassword''' attribute.
+
-
* The entered password is sent to the LDAP server, so encryption should be used.
+
* If the LDAP server is properly configured, '''ldaplist -l passwd''' will not return all user password hashes.
* If the LDAP server is properly configured, '''ldaplist -l passwd''' will not return all user password hashes.
 +
* The entered password is sent to the LDAP server, so encryption (e.g., TLS:Simple) should be used.
 +
* The default ''/etc/pam.conf'' will have to be modified.
 +
** [http://docs.sun.com/app/docs/doc/806-4077/6jd6blbg4?a=view An example pam.conf file for pam_ldap (Solaris 8 and 9)]
 +
** [http://docs.sun.com/app/docs/doc/816-4556/6maort2u1?a=view An example pam.conf file for pam_ldap (Solaris 10)]
 +
* ''pam_ldap'' supports the LDAP server's password policy controls (e.g., password syntax checking, account lockout, forced password change after reset, etc.).
-
=== Walkthrough ===
+
== Authentication walk-through ==
-
A user attempts to login to a host using ssh and is prompted for a password.
+
A user attempts to login to a host using ''ssh'' and is prompted for a password:
$ '''ssh user@host'''
$ '''ssh user@host'''
Password:
Password:
Line 28: Line 35:
What happens next?
What happens next?
-
==== pam_unix ====
+
=== ''pam_unix'' ===
-
 
+
With ''pam_unix'':
-
*An LDAP search is performed in the '''ou=people''' container for an entry that contains '''objectClass=shadowAccount''' and '''uid=user'''. The search base is the value of '''NS_LDAP_SEARCH_BASEDN''' from '''/var/ldap/ldap_client_file'''.
+
* An LDAP search is performed in the ''ou=people'' container for an entry that contains ''objectClass=shadowAccount'' and ''uid=user''. The search base is the value of ''NS_LDAP_SEARCH_BASEDN'' from ''/var/ldap/ldap_client_file''.
-
* If an entry is found, the value of the '''userPassword''' attribute is compared with the password specified on the command line. If the values match, the user is authenticated.
+
* If an entry is found, the password specified on the command line is hashed with ''crypt()'' and compared with the ''userPassword'' attribute. If the values match, the user is authenticated.
-
 
+
-
==== pam_ldap ====
+
-
* An LDAP search is performed in the '''ou=people''' container for an entry that contains '''object=posixAccount''' and '''uid=user'''. The search base is the value of '''NS_LDAP_SEARCH_BASEDN''' from '''/var/ldap/ldap_client_file'''.
+
=== ''pam_ldap'' ===
 +
With ''pam_ldap'':
 +
* An LDAP search is performed in the ''ou=people'' container for an entry that contains ''object=posixAccount'' and ''uid=user''. The search base is the value of ''NS_LDAP_SEARCH_BASEDN'' from ''/var/ldap/ldap_client_file''.
* If an entry is found, the client attempts to bind to the LDAP server using the Distinguished Name (DN) (e.g., uid=user,ou=people,dc=example,dc=com) and password specified on the command line. If the client is able to bind, the user is authenticated.
* If an entry is found, the client attempts to bind to the LDAP server using the Distinguished Name (DN) (e.g., uid=user,ou=people,dc=example,dc=com) and password specified on the command line. If the client is able to bind, the user is authenticated.

Current revision

Contents

Overview

The following notes list some differences between pam_unix and pam_ldap authentication.

pam_unix

With pam_unix:

  • The userPassword attribute must be non-null.
  • Passwords must be stored in {crypt} format on the LDAP server.
  • The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) must have read and search privileges for the userPassword attribute.
  • ldaplist -l passwd will return all password hashes, similar to ypcat passwd in a NIS environment.
  • The entered password is not sent to the LDAP server.
  • The default /etc/pam.conf file is configured for pam_unix (at least on Solaris 8).
  • pam_unix will not support the LDAP server's password policy controls (e.g., password syntax checking, account lockout, forced password change after reset, etc.).

Given the severe limitation of ldaplist -l password returning all password hashes, pam_ldap should be used if possible.

pam_ldap

With pam_ldap:

  • The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) does not need read and search privileges for the userPassword attribute.
  • If the LDAP server is properly configured, ldaplist -l passwd will not return all user password hashes.
  • The entered password is sent to the LDAP server, so encryption (e.g., TLS:Simple) should be used.
  • The default /etc/pam.conf will have to be modified.
  • pam_ldap supports the LDAP server's password policy controls (e.g., password syntax checking, account lockout, forced password change after reset, etc.).

Authentication walk-through

A user attempts to login to a host using ssh and is prompted for a password:

$ ssh user@host
Password:

What happens next?

pam_unix

With pam_unix:

  • An LDAP search is performed in the ou=people container for an entry that contains objectClass=shadowAccount and uid=user. The search base is the value of NS_LDAP_SEARCH_BASEDN from /var/ldap/ldap_client_file.
  • If an entry is found, the password specified on the command line is hashed with crypt() and compared with the userPassword attribute. If the values match, the user is authenticated.

pam_ldap

With pam_ldap:

  • An LDAP search is performed in the ou=people container for an entry that contains object=posixAccount and uid=user. The search base is the value of NS_LDAP_SEARCH_BASEDN from /var/ldap/ldap_client_file.
  • If an entry is found, the client attempts to bind to the LDAP server using the Distinguished Name (DN) (e.g., uid=user,ou=people,dc=example,dc=com) and password specified on the command line. If the client is able to bind, the user is authenticated.
Personal tools