[Date Prev][Date Next] [Chronological] [Thread] [Top]

pam_ldap and Apache enumerating all groups

To: <openldap-software@OpenLDAP.org>
Subject: pam_ldap and Apache enumerating all groups
From: "Adams, Gavin" <gadams@promisant.com>
Date: Thu, 20 Jun 2002 14:57:48 -0400
Content-class: urn:content-classes:message
Thread-index: AcIYjF7RzACdVpJVTzC/JpfS4XaAhQ==
Thread-topic: pam_ldap and Apache enumerating all groups

Hi,

My RH 7.3 system is now working fine authenticating to Active Directory
using nss_ldap and pam_ldap with the following /etc/pam.d/system-auth
file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so
 
account     required      /lib/security/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore \
            system_err=ignore] /lib/security/pam_ldap.so 

Authentication and group enumeration is fast (sub 1 second), as
expected. While using mod_auth_pam for Apache however, this doesn't
work. I had to modify /etc/pam.d/httpd to have only the following lines:

auth        required      /lib/security/pam_ldap.so
account     required      /lib/security/pam_ldap.so

Which works..... Looking at the network traffic, the mod_auth_pam module
checks the user, then continues to enumerate the entire LDAP tree for
all groups. This now takes about 10-15 seconds to complete.

I can understand why Apache would want to know the group memberships for
the user, but is there a reason that the pam_ldap module works
differently and group queries?

--- Gavin Adams
Promisant (USA) Inc.
O: +1.404.262.7321 M: +1.404.213.5539

Prev by Date: Telnet problem
Next by Date: ACL ok?
Index(es):
- Chronological
- Thread