Pam unix vs. pam ldap

From Brandonhutchinson.com

Contents 1 pam_unix 2 pam_ldap 3 Walkthrough 4 pam_ldap

pam_unix

• The userPassword attribute must be non-null
• The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) must have read and search privileges for the userPassword attribute
• ldaplist -l passwd will return all password hashes, similar to ypcat passwd in a NIS environment
• Requires passwords to be stored in {crypt} format on the LDAP server

pam_ldap

• The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) does not need read and search privileges for the userPassword attribute

Walkthrough

A user attempts to login to a host using ssh and is prompted for a password.

$ ssh user@host
Password:

What happens next?

pam_ldap

• The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) does not need read and search privileges for the userPassword attribute

$ ssh user@host
$ Password:

What happens next?