[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Alternatives to LDAP

wc -l /etc/pam.conf
    107 /etc/pam.conf

Also look at /etc/pam.d

My /etc/pam.conf is empty. /etc/pam.d contains exactly those short one-per-app files I mentioned.

Profiling needs to be done. For example, pam_ldap.so on RH 6.2 is about 50 kb in size.

pam_ldap is one of the largest, most complex PAM modules out there. For the services I have done profiling with, which include smtp and imap servers, authentication time is negligible in comparison to the many other things involved in establishing a connection. I know this because changing the authentication method didn't change the connections per second I could handle at all.

Wrong. pam_ldap ships with MD5 support. Just checked yesterday. It did
not when I tried to use it a year ago.

Looking though the code, I see you are right. But I know that I was using MD5 hashes with PAM nearly 2 years ago. I also know that for a long while there was a problem with the Red Hat builds (up to 7.0 I believe) that pam_ldap supported MD5 hashes but they linked to a crypto library that didn't. And I also know (see below) that you can store and use hashed passwords in LDAP without pam_ldap supporting any hashing at all.

This is ridiculous, we have a commercial (from a company which rhymes
with Crisco) RADIUS server which only supports this type of LDAP authentication, and it forced us to create an LDAP entry
per service per user.

What I described doesn't require this. I authenticate about 12 different services from many different servers and each user has only ONE userPassword attribute. I set
access to attribute=userPassword
by self write
by anonymous auth
by * none
and pam_ldap doesn't attempt to read userPassword or any other attribute for any service. It just attempts to bind to the LDAP server using the credentials the server gives it, and if the bind succeeds, it returns success. Note that this also means all the hashing is done in OpenLDAP; pam_ldap doesn't have to support any hash at all.

But it depends on PAM.

Do it doesn't. It depends on the name service system of your OS using nss_ldap (which is not pam_ldap, even though Red Hat stupidly packages them together and compiles them to use the same configuration file; Debian, for example, does not do this). Your applications don't have to be aware of PAM or of anything else to use it. They just call getpwent as usual and the OS takes care of getting the info from whatever sources are specified in /etc/nsswitch.conf, which may include your LDAP server.