Re: SLES9 and pam_ldap (LDAP bind instead of search request)

by Ralf Haferkamp :: Rate this Message:

On Donnerstag, 29. November 2007, BJP wrote:

> How can one authenticate on Suse Linux 9.3 using LDAP bind instead of
> search requests?
>
> The following post in 2004:
>
> http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2004-06/0258.htm
>l
>
> was never replied to online and wondered if anyone has the answer. I am
> challenged with this task as well.

That was probably never answered, because it is pretty bogus :). pam_ldap does
always do authentication by a LDAP Bind. It does never read
the "userPassword" from the LDAP server for authentication.
The problem described in the above post might happen, because nss_ldap (!) is
able to read the "userPassword" hash from the server and the pam_unix or
pam_unix2 (!) takes that hash to verify it against the password typed in by
the user. If you have such a problem you can easily verify it by doing
a "getent passwd <ldapuser>" on your system. If that returns the password
hash amongst its output you should adjust your LDAP server's access controls.

--
Ralf

« Return to Thread: SLES9 and pam_ldap (LDAP bind instead of search request)