LDAP authentication with PAM
I found documentation on how to setup LDAP PAM based authentication,
However, there seem to be certain difficulties I encountered:
- openldap2 in unstable doesn't support SSL which is considered essential.
- no mention of how to get Kerberos support going via SASL.
- every client requires a /etc/ldap.secret file which, AFAIK (guessing) allows
the client to access the passwords of users and allows programs like chsh,
chfn, and password to work.
The last point has me most concerned. It seems to be saying that every
host must be trusted not to mess about with the database. Also it
rules out operation on NFS-Root clients.
Another way to do this would be to use pam_krb5 for the PAM auth
service, and force users to update chsh, chfn, and password
information on the server.
However, somebody has already told me this is bad, because there is no
way to check that the LDAP data received by the client is authentic
(perhaps SSL will solve this, not sure).
Any comments anyone? Anyone able to make sense of my confused
Also, I am getting totally confused with the different PAM
services. My understanding so far:
auth - is this user allowed access?
account - is the user's account valid and not expired? (does this include
password - how to change the password.
session - ???
What do chsh and chfn use to update the information? account?
What does session do?
Why do gdm and imap have password specified in /etc/pam.d/gdm,imap?
(I would be surprised if imap supported changing the password, not
sure about gdm). These are the only files that didn't have entries for
cracklib commented out. Perhaps I should add them in, seeing as I have
enabled cracklib everywhere else. I don't like this duplication of
information much though.
Brian May <email@example.com>