Home
TeamSite
ldap_pam
mstradling
Hi,
My current client is looking at various login options and would like to move to authentication off their LDAP server.
So far, so good but anonymous binds aren't an option and corporate rules say passwords can't be stored as plain text in a human readable file, which rules out the standard IWov solution of setting the LDAP bind username/password in iw.cfg.
I've been looking at other options and came across ldap_pam, a PAM module for authenticating off of LDAP. I've had a good google but can't find a definitive answer of a) if ldap_pam only supports anonymous binds or not and b) if it does support a bind username/password where/how it's stored.
Has anyone got any experience or pointers on this?
Thanks,
Mark
Find more posts tagged with
Comments
mstradling
Had another Google and it's not looking good. ldap_pam stores the LDAP proxy password as plain text in /etc/ldap.secret, chmodded to 600.
As I read it, if the proxy user has read/write access they can then reset any/everyones passwords on the LDAP server. If they only have read access you are a little safer in that, but they can still try a brute force approach to guessing a user password.
Feel free to correct me if I've got this wrong...
gzevin
we use ldap_pam.. no issues, we do not keep that password file. I am not a sysadmin, but we are in a hughly secure environment, and no issues were noted by the admin team
Greg Zevin, Ph.D. Comp. Sc.
Independent Interwoven Consultant/Architect
Sydney, AU
