Re: LDAP authentication with PAM

To: debian-devel@lists.debian.org
Subject: Re: LDAP authentication with PAM
From: ressu@uusikaupunki.fi (Sami Haahtinen)
Date: Thu, 12 Apr 2001 18:23:31 +0300
Message-id: <[🔎] 20010412182331.C11863@zanaga.uusikaupunki.fi>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 84r8yyv1ob.fsf@snoopy.apana.org.au>; from bam@debian.org on Thu, Apr 12, 2001 at 08:43:16PM +1000
References: <[🔎] 84r8yyv1ob.fsf@snoopy.apana.org.au>

On Thu, Apr 12, 2001 at 08:43:16PM +1000, Brian May wrote:
> I found documentation on how to setup LDAP PAM based authentication,
> in
> 
> /usr/doc/directory-administrator/server_setup.txt
>                                  client_setup.txt

are you sure it's in /usr/doc?

> - every client requires a /etc/ldap.secret file which, AFAIK (guessing) allows
>   the client to access the passwords of users and allows programs like chsh,
>   chfn, and password to work.

the purpose of /etc/ldap.secret is to provide the password for pam-ldap for
root access. this will allow root to change other users passwords just like
local passwords

it is not required, if it's not there.. it will fall back to the dummy
solution, requesting the user password.

> The last point has me most concerned. It seems to be saying that every
> host must be trusted not to mess about with the database. Also it
> rules out operation on NFS-Root clients.

why so? if you don't use ldap.secret you won't need to enter _ANY_ passwords to
any file. to change data, you need to enter a valid password for changing
something

> Any comments anyone? Anyone able to make sense of my confused
> statements?

appears that you have gotten all your information from directory-manager, which
is not the best source for information. it is a good tool for basic setup
though.

> Also, I am getting totally confused with the different PAM
> services. My understanding so far:
> 
> auth     - is this user allowed access?
> account  - is the user's account valid and not expired? (does this include
>            password expiry)?
> password - how to change the password.
> session  - ???
	-- setup session specific data, this could be used to set up
	environment and other user session data. (i recall some module which
	set up keys with this)

> Why do gdm and imap have password specified in /etc/pam.d/gdm,imap?
> (I would be surprised if imap supported changing the password, not
> sure about gdm). These are the only files that didn't have entries for
> cracklib commented out. Perhaps I should add them in, seeing as I have
> enabled cracklib everywhere else. I don't like this duplication of
> information much though.

i actually don't know why imap would have password entry. IMAP as protocol does
not to my knowledge allow changing passwords.. maintainer mistake?

-- 
			      -< Sami Haahtinen >-
	    -< 2209 3C53 D0FB 041C F7B1  F908 A9B6 F730 B83D 761C >-

Reply to:

References:
- LDAP authentication with PAM
  - From: Brian May <bam@debian.org>

Prev by Date: Re: ftp filesystem
Next by Date: Re: LDAP authentication with PAM
Previous by thread: Re: LDAP authentication with PAM
Next by thread: Re: LDAP authentication with PAM
Index(es):
- Date
- Thread