Re: pam_ldap and password management and rsh/ssh without password

From: Jason King (jasonking_at_sbcglobal.net)
Date: 06/17/05 

Date: Fri, 17 Jun 2005 00:31:19 GMT

Polly Squires wrote:
> The System Administration Guide: Naming and Directory Services (DNS,
> NIS, and LDAP) says that if you enable pam_ldap that rsh/ssh and
> authentication that doesn't require a password will fail. So it seems
> my choices are to fall back to pam_unix_account which ignores the fact
> that accounts may be expired (via ldap). This doesn't make sense to
> me. (Why isn't there a pam_ldap_account ?)
>
> I am not hiding expiry information from my proxy...why is this a
> problem?
>
> At any rate, I'm sure that there are people out there who are using
> ldap for password management that have a working solution with
> ldap/rsh/ssh and password aging. What are people doing?
>

Funny you should mention that, I just mentioned something about this on
the opensolaris-rfe list -- basically what's happening is that it's
using an LDAP control that's returned as part of an ldap bind operation
to obtain password expiration information, which means of course that
pam_ldap has to actually be able to bind to the ldap server as the user
(which it cannot do when using public key auth or rhosts since it never
actually gets the password), so it returns a failure.

You might be able to get away with manually maintaining the
shadowAccount attributes (though I haven't tried this). The
disadvantage to this is that then the clients are managing the password
policy instead of letting the ldap server do it (i.e. each client would
have to check the shadowLastChange, etc. attributes and enforce action
appropriately). If you're doing only UNIX authentication, this might
work, if you also want to have other things authenticate against the
same ldap server to authenticate users, then you might start to run into
issues (as they would also have to know to check those attributes to
make sure an account isn't expired, or if they need to change their
password).

Relevant Pages

  • Re: LDAP authentication security ?
    ... Using an internally rooted CA can be less expensive, but it is less easy to get all of the clients to trust your certs issued by this CA, especially in an environment that includes non-Windows machines that can't take advantage of auto enrollment or GPO for distributing trusted roots. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... If the application supports SASL bind with either GSS-SPNEGO or DIGEST authentication, then you can use that directly with AD without needing to secure the channel as those authentication mechanisms are already secure without channel encryption. ... Simple bind is the authentication mechanism in the LDAP V3 spec and is supported by all LDAP directories. ...
    (microsoft.public.windows.server.security)
  • Gnome - autofs nfs home directories
    ... Thanks to the help I got in this list my LDAP authentication now works ... get authenticated by the LDAP server and autofs ... Everything works fine providing a user doesn't log on to two machines at ...
    (Fedora)
  • Re: Sun Java System Directory Server Authentication
    ... Note that I'm not picking on you, I largely following your reasoning and that I don't agree ... The same goes for LDAP, at the core each LDAP server handles the LDAP protocol, but that ... Solaris LDAP to handle NTLM authentication. ... network "authentication" as used when binding against an LDAP server is meant to 1) validate ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: AD Auth for standalone ISA in DMZ
    ... you can't use LDAP for access rules. ... until you change the authentication method of select a different user ... Under Specify RADIUS and LDAP Servers, ...
    (microsoft.public.isa.configuration)
  • Re: Directory Services, LDAP or similar
    ... In other projects, we managed the user authentication by creating tables that define all users and its allowed capacities, then the application queryies that data to verify if a user has access to some feature or not. ... The above ID and password are sent to the service at login time. ... They are using Novell eDirectory at the enterprise level; yes it's LDAP. ... We already do that for three different DB servers; ...
    (borland.public.delphi.non-technical)