[Christoph Haas] > Okay, so libpam-ldap is mandatory in that case? Good to know. Most > of the documentation I found said that only libnss-ldap is needed > for login and libpam-ldap's only use is for changing the password > over LDAP.
Yes, pam is needed to do proper authentication (password checking), and nss is needed to find information about users and groups. Yes, you can use nss to find password hashes and authenticate locally after fetching the hash using LDAP, but it is a very bad idea, as you really want to avoid password hashes from leaving your LDAP server. > However whether it's SSL or not shouldn't matter really since this > is a local kcheckpass that needs to access the pam/nss configuration > on the local machine. But generally SSL is surely preferred. I do not understand your comment. pam-ldap send the password to the LDAP server, and the LDAP server accept or deny the connection. If this connection isn't done using SSL (or TLS), the password is sent in clear text over the net to the LDAP server. You do not want that, so you want to make sure pam-ldap uses SSL or TLS. nss-ldap on the other hand do not send any passwords, it only fetches information from the LDAP server, and it does it fairly often, so you do not want the overhead of encryption there, and you also want to make sure nscd is running to cache any search results to reduce the amount of LDAP trafic needed. > Where did you find this documented? I admit I'm no PAM guru at all. > In theory it's simple but in practice PAM has never obeyed my > orders. In /usr/share/doc/libpam-ldap/examples/ the example pam.d > files have pam_ldap.so mentioned in every file which is surely worse > than using common-auth. Not sure. It is the default configuration in Debian Edu. > I just tried your pam.d/common-auth configuration and then indeed > kcheckpass works without running setuid root. A miracle! :) :) > You don't need a "rootbinddn" here? I tried to remove it but couldn't > login as a user any more. No. It is only needed if you want your root user to be able to update the LDAP database as a privileged user. Normally, you do not want this. The users can be allowed to change their own password if the LDAP server give them write access to their own LDAP entry, and there is no need for the rootbinddn for this. > Since the password should be either MD5 or Crypt (what I use) the > password should not go over the line in cleartext anyway. However it > may be cracked with john probably when sniffed on the net. Actually, you got it backwards, as explained above. pam-ldap isn't using the password hash to check the password. It is passing the password over to the LDAP server (using an LDAP bind), and letting the LDAP server decide if the password is correct or not. Friendly, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
