Samba password server?

Michael L Torrie torriem at chem.byu.edu
Thu Jul 5 17:05:42 MDT 2007


On Thu, 2007-07-05 at 16:57 -0600, Michael L Torrie wrote:
> On Thu, 2007-07-05 at 12:45 -0600, Kenneth Burgener wrote:
> > Michael L Torrie wrote:
> > Correct me if I am wrong, but LDAP is simply an information storage
> > service?  How would I go about using LDAP to do secure encrypted
> > password authentication?
> 
> You're essentially correct. LDAP by itself isn't technically enough,
> although as Dave mentioned, with SSL and TLS it's pretty secure.

I should note that the way LDAP does authentication is by performing a
"bind" against the server as a particular distinguished name.  So each
node in LDAP can have a userpassword field (well if the schema allows)
and that is used to verify the bind password.  When you use pam_ldap, it
basically searches LDAP for uid=<username> and then uses the returned DN
as a bind DN.  If your password matches the hash stored in userPassword,
then the bind is successful and pam_ldap says you are in.  Then the rest
of the user's record in ldap is accessed normally, through anonymous,
non-encrypted searches.

In FC or RHEL, if you set authconfig to use both ldap and kerberos for
authentication, kerberos will always be used first, falling back to ldap
binds (which may or may not be secure depending if you said ldaps:// or
checked TLS).





More information about the PLUG mailing list