Pam unix vs. pam ldap

From Brandonhutchinson.com

Revision as of 21:57, 14 December 2007 by Hutch (Talk | contribs)
Jump to: navigation, search

Contents

Overview

The following notes list some differences between pam_unix and pam_ldap authentication.

pam_unix

With pam_unix:

  • The userPassword attribute must be non-null.
  • Passwords must be stored in {crypt} format on the LDAP server.
  • The proxy agent (e.g., cn=proxyagent,ou=profile,dc=example,dc=com) must have read and search privileges for the userPassword attribute.
  • ldaplist -l passwd will return all password hashes, similar to ypcat passwd in a NIS environment.
  • The entered password is not sent to the LDAP server.
  • The default /etc/pam.conf file is configured for pam_unix (at least on Solaris 8).

Given the severe limitation of ldaplist -l password returning all password hashes, pam_ldap should be used if possible.

pam_ldap

With pam_ldap:

Authentication walk-through

A user attempts to login to a host using ssh and is prompted for a password:

$ ssh user@host
Password:

What happens next?

pam_unix

  • An LDAP search is performed in the ou=people container for an entry that contains objectClass=shadowAccount and uid=user. The search base is the value of NS_LDAP_SEARCH_BASEDN from /var/ldap/ldap_client_file.
  • If an entry is found, the password specified on the command line is hashed with crypt() and compared with the userPassword attribute. If the values match, the user is authenticated.

pam_ldap

  • An LDAP search is performed in the ou=people' container for an entry that contains object=posixAccount and uid=user. The search base is the value of NS_LDAP_SEARCH_BASEDN from /var/ldap/ldap_client_file.
  • If an entry is found, the client attempts to bind to the LDAP server using the Distinguished Name (DN) (e.g., uid=user,ou=people,dc=example,dc=com) and password specified on the command line. If the client is able to bind, the user is authenticated.
Personal tools