Pluggable Authentication Methods
By using the PAM framework, you can choose among several authentication services. You can use either pam_unix(5) or pam_ldap(5) in conjunction with LDAP.
Because of its increased flexibility and support of stronger authentication methods, the use of pam_ldap is recommended.
If you have not changed the pam.conf(4) file, pam_unix(5) is enabled by default. pam_unix(5) follows the traditional model of UNIX authentication, which means that
-
The client retrieves the user's encrypted password from the name service.
-
The user is prompted for his password.
-
The user's password is encrypted.
-
The client compares the two encrypted passwords to determine if the user should be authenticated or not.
-
The password must be stored in UNIX crypt format and not in any other encryption methods, including clear.
-
The userPassword attribute must be readable by the name service.
For example, if you set the credential level to anonymous, then anyone must be able to read the userPassword attribute. Similarly, If you set the credential level to proxy, then the proxy user must be able to read the userPassword attribute.
Note –
pam_unix(5) is not compatible with sasl authentication method digest-MD5, since Sun ONE Directory Server 5.1 requires passwords to be stored in the clear in order to use digest-MD5, but pam_unix requires the password be stored in crypt format.
When usingpam_ldap(5), the user binds to the LDAP server. The authentication method is defined in pam_ldap's serviceAuthenticationMethod parameter if one exists. Otherwise, the authenticationMethod is used by default.
If pam_ldap(5) is able to bind to the server with the user's identity and supplied password, it authenticates the user.
pam_ldap(5) does not read the userPassword attribute. Therefore, there is no need to grant access to read the userPassword attribute unless there are other clients using pam_unix(5). pam_ldap(5) does not support the none authentication method. Thus, you must define the serviceAuthenticationMethod or the authenticationMethod attributes in order for clients to use pam_ldap(5).
Caution – If the simple authentication method is used, the userPassword attribute can be read on the wire by third parties.
See Example pam.conf File for pam_ldap.
PAM and Changing Passwords
Use passwd(1) to change a password. In order to change the password, the userPassword attribute must be writeable by the user. Remember that the serviceAuthenticationMethod for passwd-cmd will override the authenticationMethod for this operation. Depending on the authentication used, the current password might be un-encrypted on the wire.
In the case of pam_unix(5) the new userPassword attribute is encrypted using UNIX crypt and tagged before being written to LDAP. Therefore, the new password is encrypted on the wire, regardless of the authentication method used to bind to the server.
For pam_ldap, when a password is changed, the new password is un-encrypted. Therefore, to insure privacy, you need to use TLS. If TLS is not used, the new userPassword will be subject to snooping.
When setting the password with pam_ldap(5) with Sun ONE Directory Server 5.1, the password is encrypted using the serverStrorageScheme (as it is untagged). See “User Account Management” in the Sun ONE Directory Server 5.1 Administrator's Guide for additional information about the passwordStorageScheme attribute.
Note –
You need to consider the following when setting the passwordStorageScheme attribute. If a NIS, NIS+, or another client using pam_unix is using LDAP as a repository, then passwordStorageScheme needs to be crypt. Also, if using pam_ldap with sasl/digest-MD5 with Sun ONE Directory Server 5.1, passwrodStorageScheme must be set to clear.
- © 2010, Oracle Corporation and/or its affiliates