LDAP password authentication/modification schemes

From: splin (splin.sp_RemoveThisLotToReply_lin_at_ntlworld.com)
Date: 06/18/04 

Date: Fri, 18 Jun 2004 00:44:11 +0100

We are considering using LDAP to replace NIS+. It seems though that there
are a lot of different options. I believe that PAM_LDAP is the recommended
option, though we would likely use OpenLDAP (V3) servers and probably use
SSL to encrypt the client to LDAP server transactions.

Clients would be HP-UX 11i; authentication would be required for login,
rlogin, telnet, ftp, rexec and su as a minimum. We don't currently use NIS.

However we may need to implement some custom password/login rules, rather
like those of Trusted Mode. These would include password history to prevent
reuse of recent passwords, lockouts after a number of failed logins.
Passwords including the user name (or its reverse), palindromes repetative
passwords etc. would be rejected. Forced password change after first login
and after a specified duration would also be required.

I'm not sure though, exactly where this would be implemented. If it were to
be done in the server (which would have the advantage of simplifying
maintenance of this code) would we have to implement our own PAM_LDAP to
understand the servers responses and/or provide the appropriate responses to
the user when logging in? Eg. when forcing the user to change password after
first login. If we were to display the time and date of the user's last
login, again presumably this would have to be done in a custom PAM_LDAP?

If we also need to provide similar password management for local users then
presumably we again would have to provide our own PAM_LDAP implementation.
Are there any interfaces in the UX LDAP client services to allow us to
provide our own password management without providing a complete PAM_LDAP
implementation?

Would a custom PAM_LDAP implementation be a major and difficult task to
undertake? I guess that starting from the open

I'm sure that many others must have similar problems, so are there any
standards/implementations which address some if not all of these
requirements already? Would PADL's open source PAM_LDAP be the only sensible
place to start?

I notice there are several RFCs that relate to this issue. Which are the
current recommended ones that I should be looking at? Where do I start
looking? ;~)

Thanks in advance for any guidance or references that anyone can offer,

Splin.

Relevant Pages

  • Re: nis security
    ... >> I'm building a new network for my company. ... I really don't feel confident with LDAP ... This can be fixed by combining NIS ... > telling the clients to contact only specific servers for NIS ...
    (freebsd-questions)
  • Hybrid user authentication?
    ... Each portal uses the same LDAP service for ACLs via user/passwd ... servers map the LDAP user to a UNIX user with consistency. ... Outside of some UNIX ... We are using NIS+ -- a migration to LDAP is in the works. ...
    (SunManagers)
  • Re: Kerberos+LDAP+NIS?
    ... Regarding the setup, it's not really finished I think. ... I think that if I can set a default shell on login I guess I could use ... the LDAP, there is a unused field called NFS home, so if I fill in the ... NIS one should be change if it differs). ...
    (Debian-User)
  • Re: [opensuse] SLES 10 x86_64 - Permissions on password database too restrictive
    ... Well, NIS in itself is not an authentication scheme, it only distributes ... A NIS client can authenticate against LDAP or local shadow ... On a couple of our servers running SUSE Linux Enterprise Server 10 ...
    (SuSE)
  • Re: Limit logging in to certain users
    ... login, not regular users. ... All users are defined in the NIS passwd map. ... determine which users have access to which servers or services. ...
    (comp.unix.solaris)