As previously indicated, the serviceAuthenticationMethod attribute, if defined, determines the manner the user binds to the LDAP server. Otherwise, the authenticationMethod attribute is used. After the pam_ldap module successfully binds to the server with the user's identity and supplied password, the module authenticates the user.
You can now perform account management and retrieve the account status of users without authenticating to Directory Server as the user is logging in.
The new control on Directory Server is 1.3.6.1.4.1.42.2.27.9.5.8. This control is enabled by default. To modify the default control configuration, add access control instructions (ACIs) on Directory Server. For example:
dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid:1.3.6.1.4.1.42.2.27.9.5.8 cn:Password Policy Account Usable Request Control aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; allow (read, search, compare, proxy) (groupdn = "ldap:///cn=Administrators,cn=config");) creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=server,cn=plugins,cn=config
The pam_ldap module does not read the userPassword attribute. If no client uses UNIX authentication, granting read access to the userPassword attribute is unnecessary. Likewise, the module does not support the none as an authentication method.
Caution - If the simple authentication method is used, the userPassword attribute can be read unencrypted by third parties. |
The following table summarizes the main differences between authentication mechanisms.
|