LDAP Service Module

Language:

As previously indicated, the serviceAuthenticationMethod attribute, if defined, determines the manner the user binds to the LDAP server. Otherwise, the authenticationMethod attribute is used. After the pam_ldap module successfully binds to the server with the user's identity and supplied password, the module authenticates the user.

Note - Previously with pam_ldap account management, all users needed to provide a login password for authentication whenever they log in to a system. Consequently, non-password based logins that used tools such as ssh would fail.

You can now perform account management and retrieve the account status of users without authenticating to Directory Server as the user is logging in.

The new control on Directory Server is 1.3.6.1.4.1.42.2.27.9.5.8. This control is enabled by default. To modify the default control configuration, add access control instructions (ACIs) on Directory Server. For example:

dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid:1.3.6.1.4.1.42.2.27.9.5.8
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable";
allow (read, search, compare, proxy)
(groupdn = "ldap:///cn=Administrators,cn=config");)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config

The pam_ldap module does not read the userPassword attribute. If no client uses UNIX authentication, granting read access to the userPassword attribute is unnecessary. Likewise, the module does not support the none as an authentication method.

Caution - If the simple authentication method is used, the userPassword attribute can be read unencrypted by third parties.

The following table summarizes the main differences between authentication mechanisms.

Table 2-2 Authentication Behavior in LDAP

Event	`pam_unix_*`	`pam_ldap`	`pam_krb5`
Password Sent	Uses `passwd` service authentication method	Uses `passwd` service authentication method	Uses Kerberos single sign on technology, not passwords
New Password Sent	Encrypted	No encryption (unless TLS is used)	Uses Kerberos, no passwords are sent over the wire
New Password Stored	`crypt` format	Password storage scheme defined on Oracle Directory Server Enterprise Edition	Passwords are managed by Kerberos
Requires password read?	Yes	No	No
`sasl/digest-MD5` compatibility after changing password	No. Password is not stored unencrypted. User cannot authenticate.	Yes. As long as the default storage scheme is set to `clear`, the user can authenticate.	No. `sasl/GSSAPI` is used. There are no passwords over the wire and there are no passwords to be stored in the directory server except when using a Kerberos kdc that manages its password database in the LDAP directory server.
Password policy supported?	Yes. `enableShadowUpdate` must be set to `true`.	Yes, if so configured.	See the `pam_krb5`(5) man page and Kerberos V5 Account Management Module.