Re: LDAP bind authentication

david.magda@xxxxxxxxx wrote:
Hello,

As far as I understand it, for authentication against an LDAP back-
end, Solaris binds via a service / proxy account, looks up the
password field, and then does compare on the password entered by the
user and the password in the LDAP database. If the strings access is
granted.


This is one possible configuration.

On the other hand, what Linux (and BSD?) does by default is take the
username that is entered, create a DN, and tries to do an LDAP bind
operation with that DN and password to the LDAP server. If the bind
succeeds access is granted, if not it's denied.


This configuration is also possible in Solaris.

If the above is correct, is there any way for Solaris to do an LDAP
bind for authentication? (Of course it may still need the proxy
account to do look ups for things like GECOS, etc.)


Solaris doesn't need to use a proxy account. The main reason it does is because virtual list view indexes aren't available to non-authenticated users using Sun's Directory Server, IIRC. VLVs are designed to return subsets of the attributes of an object (think views in a database) and are particularily of interest to Solaris because things like 'getent' only needs the RFC 2307 attributes to complete its job, making queries against VLVs faster.

Now, to force the client to perform a bind to authenticate instead of having the client compare the hashes locally you have to:

1. make sure the proxy user can't see the hash
2. everywhere in /etc/pam.conf that you see:
<servicename> auth required pam_unix_auth.so.1

change this to:
<servicename> auth binding pam_unix_auth.so.1 server_policy
<servicename> auth required pam_ldap.so.1

If you also want to have the ldap server apply it's password policy when password changes happen (i.e. client sends the password in clear-text to the server for rule checking and subsequent hashing) then you need to change "other password" as follows:

other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy

BTW, #1 is very important, other wise pam_unix_auth.so.1 will continue to succeed and pam_ldap.so.1 will never be reached.

Neal
.

Relevant Pages

  • Re: LDAP bind authentication
    ... As far as I understand it, for authentication against an LDAP back- ... end, Solaris binds via a service / proxy account, looks up the ... bind for authentication? ...
    (comp.unix.solaris)
  • LDAP bind authentication
    ... As far as I understand it, for authentication against an LDAP back- ... end, Solaris binds via a service / proxy account, looks up the ... username that is entered, create a DN, and tries to do an LDAP bind ...
    (comp.unix.solaris)
  • Re: Query AD from DMZ via LDAP?
    ... You don't really need ADAM for this unless you need LDAP simple bind, ... authentication to apps on the public internet, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Troubleshooting DC with dcdiag
    ... attempting to bring this DC back into replication is a bad idea ... >>> RPC B ... >>> LDAP ... >>> Bind ...
    (microsoft.public.windows.server.active_directory)
  • Re: Troubleshooting DC with dcdiag
    ... >>>>> RPC B ... >>>>> LDAP ... >>>>> Bind ... >>>>> pecified service does not exist as an installed service. ...
    (microsoft.public.windows.server.active_directory)