Re: ldap authentication (?)

[Julio Sánchez Fernández <j_sanchez@stl.es>]

Sunil Ghelani wrote:
> 
> hi,
> i was wondering how to use the openldap package with authentication
> provision.if we want to perform ldapadd,ldapsearch operations,etc without
> binding as the rootdn and rootpasswd; how do we give the password of a
> regular user who wants to bind himself.

For LDAP purposes, there are no users, what you have are Distinguished
Names.  What you have to do is to create in the directory an entry for
each "user", be it a person or a role or whatever.  The simplest, most
insecure and, typically, the only method available in OpenLDAP is to
store the password is the userPassword attribute in the entry.  Then
you give ldapadd the DN of the entry to bind as and the value of the
userPassword in that entry.  The access will be limited by the access
rights specification in slapd.conf.

Depending on the software you use and how you configure it, you may have
a variety of methods for authentication.

> how does the server know what password file to use to verify the
> correctness of the password.what is the format of this password file.

For simple (userPassword) authentication, there is no password file,
info is in the directory entry named as the DN you bind as, that will
typically represent a "user".

Of course, reusable authentication info sucks, reusable information
info stored in a symetrical format (not hashed) sucks harder and when
that kind of authentication info travels unencrypted its suckiness
raises to inimaginable heights.  And then there is session stealing
and all that.

To sum up, be careful.

Julio