Re: Linux user authentication and shaodw passwords

[Doug Nazar <nazard@dragoninc.on.ca>]

On 30 May, Andreas Hasenack wrote:
> Em Tue, May 30, 2000 at 05:07:15PM -0400, Adrian Likins escreveu:
>> 	Of course, if nss_ldap is being used, and your using pam_unix,
>> then you dont need to use pam_ldap, as pam_unix will use the crypted passwd
>> getent and friends returns. 
> 
> This will only work if you configure nss to NOT bind anonymously (/etc/ldap.conf).
> Otherwise it won't have access to the userpassword attribute. pam_ldap uses the
> user-entered info (name & password) to bind to the ldap server, and only then
> will the server allow the userpassword attribute to be read.
> Well, I don't know exactly what determines the success of the authentication:
> the binding or, after the binding, being able to read the userpassword attribute.

Not true. By default openldap doesn't have any permissions and anyone
can access the userpassword attribute (netscape does but since this is
the openldap mailinglist... <g>).

It is the act of binding which grants access in the authenticate phase.
You can still be denied during the account management phase (i.e.
account expirey, group membership, host access, etc.)

> I tried once to bind as me (andreas) in /etc/ldap.conf and then I could authenticate
> as myself without using pam_ldap, but all the other users couldn't anymore.

Depends on your configuration and ACL's.

-- 
Doug Nazar
Dragon Computer Consultants Inc.
Tel: (416) 708-1578     Fax: (416) 708-8081