Re: [gentoo-user] ldap vs. pam

Fri, 13 Jan 2006 13:09:04 -0800


On Jan 13, 2006, at 2:37 PM, Jose Gonzalez Gomez wrote:

2006/1/13, John Jolet <[EMAIL PROTECTED]>:

On Jan 13, 2006, at 11:45 AM, Allan Spagnol Comar wrote:

> thanks. I believe I am starting to understand this.
>
> I was seeing that ldap can authenticate in a lot of types, like ,
> databases, files, and PAM do some things like that too.... or am I
> wrong ?
>
as far as I know you are wrong.  ldap is an authentication
mechanism.  it stores usernames, passwords, and much more.

LDAP is *not* an authentication mechanism. LDAP stands for Lightweight Directory Access Protocol, so LDAP is a protocol you use to access data stored in a structured way, called directory. An LDAP directory is a directory that may be accessed using LDAP. An LDAP server is a server that serves its data using LDAP. LDAP servers are used for a lot of things, and two of them may be single sign on or centralized authentication (they are different although related things).
You are correct...I was attempting to highlight the distinction between a security storage mechanism (which is what I should have said) and a mechanism that does the actual authentication.

To access data in a directory you may have to authenticate to access the data. This authentication can be done in several ways, and one of them is called simple bind: in this case you provide a path to locate an object in the directory and a password and the server "compares" the password provided with the password stored in the specified object. IIRC the PAM-LDAP module uses simple bind to authenticate an user trying to gain access to the system. This is, the PAM module takes the provided user and password and tries to authenticate itself against the LDAP server using the simple bind mechanism, translating the user into a path to locate the object representing that user in the directory.

BIG WARNING: Don't do this unless you're using simple bind over SSL protected connections unless you want your passwords to travel (almost?) as clear text through the network.

This MIGHT also not be a security risk if the ldap server and the service attempting to authenticate are on the same server.  I usually did simple bind on the ldap server itself, and tls/ssl from all the other servers.
HTH
Jose

Reply via email to