When implementing pam_ldap, the user binds to the LDAP server by using the authentication method defined in pam_ldap's serviceAuthenticationMethod parameter, if one exists. Otherwise, authenticationMethod is used.
If pam_ldap is able to bind to the server with the user's identity and supplied password, it authenticates the user.
Previously, if you enabled pam_ldap account management, all users needed to provide a login password for authentication any time they logged in to the system. Therefore, nonpassword-based logins using tools such as rsh, rlogin, or ssh would fail.
Now, however, pam_ldap(5), when used with Sun Java System Directory Servers DS5.2p4 and newer releases, enables users to log in with rsh, rlogin, rcp and ssh without giving a password.
pam_ldap(5) is now modified to perform account management and retrieve the account status of users without authenticating to Directory Server as the user logging in. The new control to this on Directory Server is 1.3.6.1.4.1.42.2.27.9.5.8, which is enabled by default.
To modify this control for other than default, add Access Control Instructions (ACI) on Directory Server:
dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid:1.3.6.1.4.1.42.2.27.9.5.8 cn:Password Policy Account Usable Request Control aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; allow (read, search, compare, proxy) (groupdn = "ldap:///cn=Administrators,cn=config");) creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=server,cn=plugins,cn=config |
pam_ldap does not read the userPassword attribute. Therefore, there is no need to grant access to read the userPassword attribute unless there are other clients using pam_unix. Also, pam_ldap does not support the none authentication method. Thus, you must define the serviceAuthenticationMethod or the authenticationMethod attributes so clients can use pam_ldap. See the pam_ldap(5) man page for more information.
If the simple authentication method is used, the userPassword attribute can be read on the wire by third parties.
See Example pam.conf File for pam_ldap.
The following table summarizes the main differences between pam_unix, pam_ldap, and pam_krb5.
Table 9–5 Authentication Behavior in LDAP With pam_unix, pam_ldap, and pam_krb5
|
pam_unix |
pam_ldap |
pam_krb5 |
---|---|---|---|
Password Sent |
Uses passwd service authentication method |
Uses passwd service authentication method |
Uses Kerberos single sign on technology, not passwords |
New Password Sent |
Encrypted |
No encryption (unless TLS is used) |
Uses Kerberos, no passwords are sent over the wire |
New Password Stored |
crypt format |
Password storage scheme defined on Sun Java System Directory Server |
Passwords are managed by Kerberos |
Requires password read? |
Yes |
No |
No |
sasl/digest-MD5 compatibility after changing password |
No. Password is not stored in clear. User cannot authenticate. |
Yes. As long as default storage scheme is set to clear, user can authenticate. |
No. sasl/GSSAPI is used. There are no passwords over the wire and there are no passwords to be stored in the directory server, except when using a Kerberos kdc that manages its password database in the LDAP directory server. |
Password policy supported? |
Yes. enableShadowUpdate must be set to true. |
Yes, if so configured. |
See pam_krb5(5), Kerberos V5 Account Management Module. |