[Date Prev][Date Next]
Re: Alternatives to LDAP
wc -l /etc/pam.conf
Also look at /etc/pam.d
My /etc/pam.conf is empty. /etc/pam.d contains exactly those short
one-per-app files I mentioned.
Profiling needs to be done. For example, pam_ldap.so on RH 6.2 is
about 50 kb in size.
pam_ldap is one of the largest, most complex PAM modules out there. For
the services I have done profiling with, which include smtp and imap
servers, authentication time is negligible in comparison to the many
other things involved in establishing a connection. I know this because
changing the authentication method didn't change the connections per
second I could handle at all.
Wrong. pam_ldap ships with MD5 support. Just checked yesterday. It did
not when I tried to use it a year ago.
Looking though the code, I see you are right. But I know that I was
using MD5 hashes with PAM nearly 2 years ago. I also know that for a
long while there was a problem with the Red Hat builds (up to 7.0 I
believe) that pam_ldap supported MD5 hashes but they linked to a crypto
library that didn't. And I also know (see below) that you can store and
use hashed passwords in LDAP without pam_ldap supporting any hashing at all.
This is ridiculous, we have a commercial (from a company which rhymes
with Crisco) RADIUS server which only supports this type of
LDAP authentication, and it forced us to create an LDAP entry
per service per user.
What I described doesn't require this. I authenticate about 12 different
services from many different servers and each user has only ONE
userPassword attribute. I set
access to attribute=userPassword
by self write
by anonymous auth
by * none
and pam_ldap doesn't attempt to read userPassword or any other attribute
for any service. It just attempts to bind to the LDAP server using the
credentials the server gives it, and if the bind succeeds, it returns
success. Note that this also means all the hashing is done in OpenLDAP;
pam_ldap doesn't have to support any hash at all.
But it depends on PAM.
Do it doesn't. It depends on the name service system of your OS using
nss_ldap (which is not pam_ldap, even though Red Hat stupidly packages
them together and compiles them to use the same configuration file;
Debian, for example, does not do this). Your applications don't have to
be aware of PAM or of anything else to use it. They just call getpwent
as usual and the OS takes care of getting the info from whatever sources
are specified in /etc/nsswitch.conf, which may include your LDAP server.