We are using PAM to authenticate posixUsers against OpenLDAP. This works great, and allows 'local' (ssh) logins. However, we also use LDAP for a number of other services, including remote access and editing via other software. This means we would like to keep our users passwords as secure as possible, and enforce encrypted logins for all remote hosts. However, PAM should still be able to authenticate. The manner of encryption is not really important, it just has to be strong enough to be useful over the internet, and usable for all (or most) clients.
We have tried various solutions with ssf directives in /etc/ldap/slapd.conf as well as the security tls=1 directive. All of these attempts broke PAM.
Is what we are trying to do possible with OpenLDAP? If so, could someone maybe point us to an example configuration?
Thank you for your time,