After much trial and error, Ralf is correct. pam_ldap on SLES9 SP3 does authentication with LDAP Bind.
Thanks Ralf.
Rgds,
BJP
Ralf Haferkamp wrote:
On Donnerstag, 29. November 2007, BJP wrote:
> How can one authenticate on Suse Linux 9.3 using LDAP bind instead of
> search requests?
>
> The following post in 2004:
>
>
http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2004-06/0258.htm>l
>
> was never replied to online and wondered if anyone has the answer. I am
> challenged with this task as well.
That was probably never answered, because it is pretty bogus :). pam_ldap does
always do authentication by a LDAP Bind. It does never read
the "userPassword" from the LDAP server for authentication.
The problem described in the above post might happen, because nss_ldap (!) is
able to read the "userPassword" hash from the server and the pam_unix or
pam_unix2 (!) takes that hash to verify it against the password typed in by
the user. If you have such a problem you can easily verify it by doing
a "getent passwd <ldapuser>" on your system. If that returns the password
hash amongst its output you should adjust your LDAP server's access controls.
--
Ralf
