[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM concepts (was: pam_{unix,pwdb}: crypt/md5 necessary?)



On Fri, Aug 04, 2000 at 06:32:37PM -0700, W. Reilly Cooley, Esq. wrote:
> On Thu, Aug 03, 2000 at 04:00:20PM -0400, Nalin Dahyabhai wrote:
> > 
> > > Is this how the pam_ldap module works?  I don't know if it has an 'auth' mode
> > > as well (perhaps there's a more secure way to authenticate against LDAP than
> > > by sending the password with getpwnam()).
> > 
> > Yes, it does.  The auth module attempts to do a simple bind to the
> > configured LDAP server as the user being authenticated, because a server
> > that's configured with the least amount of security in mind won't send
> > out the contents of a user's crypted password field.
> 
> Is it really more secure?  Forgive me if I'm missing something here,
> but the effect of setting ACL which prevents anyone from reading the
> hashed password is that the module has to bind to the LDAP server as
> the user, which requires passing their password in clear text over
> the network, which then passes the hashed password from the directory
> object back.

Exactly.  Which is why I don't recommend that you do that.  Others
have mentioned that TLS support is going to show up in the upcoming
OpenLDAP 2.0, and until then (and perhaps afterwards), I'd still go
with something that's *designed* to be an authentication system,
with all of the capabilities that includes (i.e., policies for how
often passwords get changed, what's "good enough" to be a password,
etc.).  I really like Kerberos because it offers this, but wedging
that sort of functionality into an LDAP directory looks like a choice
that's becoming more popular all the time.

Nalin





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []