Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 16 Jul 2013 01:07:47 +0200
From:      Jan Bramkamp <crest@rlwinm.de>
To:        freebsd-stable@freebsd.org
Subject:   Re: LDAP authentication confusion
Message-ID:  <51E480C3.50008@rlwinm.de>
In-Reply-To: <20130715224748.GA45649@anubis.morrow.me.uk>
References:  <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net> <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com> <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net> <1373915752.13754.140661255962197.3CA2BD96@webmail.messagingengine.com> <Pine.GSO.4.64.1307151550030.8901@sea.ntplx.net> <20130715224748.GA45649@anubis.morrow.me.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 16.07.2013 00:47, Ben Morrow wrote:
> Quoth Jan Bramkamp <crest@rlwinm.de>:
>> On 15.07.2013 21:51, Daniel Eischen wrote:
>>>
>>> Wouldn't it be easier just to edit /etc/nsswitch.conf
>>> anyway?
>> PAM and NSS switch are two different subsystems. NSS is just for
>> resource lookups (users, groups, hosts, ...). PAM is for access control.
>>
>> With ldap in nsswitch.conf for users and groups you can lookup a LDAP
>> user but the user can't log into $service through PAM. This requires
>> pam_ldap.so in pam.d/$service.
> 
> The default pam_unix.so calls getpwent, so if nss_ldap returns cryptable
> passwords in its result I think pam_unix can authenticate against those.
> 
> This is not the same as authenticating by LDAP bind, but may end up
> accepting the same passwords.

If you want every process to read your hashed passwords and you use
non-portable crypt hashes it could work. The correct solution would be
authenticate users by LDAP binds without allowing anyone to read the
password or to use the {SASL} password style and authenticate users
against Kerberos with saslauthd. Just don't let you users play with
passwords. Either your password policy allows dumb users to pick trivial
password or it forces complex password structures on them resulting in
post-it notes with passwords around every second desk.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51E480C3.50008>