thak you all. now I really understand what about PAM and LDAP.
On 1/13/06, John Jolet <[EMAIL PROTECTED]> wrote: > > > On Jan 13, 2006, at 2:37 PM, Jose Gonzalez Gomez wrote: > 2006/1/13, John Jolet <[EMAIL PROTECTED]>: > > > > On Jan 13, 2006, at 11:45 AM, Allan Spagnol Comar wrote: > > > > > thanks. I believe I am starting to understand this. > > > > > > I was seeing that ldap can authenticate in a lot of types, like , > > > databases, files, and PAM do some things like that too.... or am I > > > wrong ? > > > > > as far as I know you are wrong. ldap is an authentication > > mechanism. it stores usernames, passwords, and much more. > > > > LDAP is *not* an authentication mechanism. LDAP stands for Lightweight > Directory Access Protocol, so LDAP is a protocol you use to access data > stored in a structured way, called directory. An LDAP directory is a > directory that may be accessed using LDAP. An LDAP server is a server that > serves its data using LDAP. LDAP servers are used for a lot of things, and > two of them may be single sign on or centralized authentication (they are > different although related things). > You are correct...I was attempting to highlight the distinction between a > security storage mechanism (which is what I should have said) and a > mechanism that does the actual authentication. > > To access data in a directory you may have to authenticate to access the > data. This authentication can be done in several ways, and one of them is > called simple bind: in this case you provide a path to locate an object in > the directory and a password and the server "compares" the password provided > with the password stored in the specified object. IIRC the PAM-LDAP module > uses simple bind to authenticate an user trying to gain access to the > system. This is, the PAM module takes the provided user and password and > tries to authenticate itself against the LDAP server using the simple bind > mechanism, translating the user into a path to locate the object > representing that user in the directory. > > BIG WARNING: Don't do this unless you're using simple bind over SSL > protected connections unless you want your passwords to travel (almost?) as > clear text through the network. > > This MIGHT also not be a security risk if the ldap server and the service > attempting to authenticate are on the same server. I usually did simple > bind on the ldap server itself, and tls/ssl from all the other servers. > HTH > Jose > > -- An application asked: "Requeires Windows 9x, NT4 or better", so I´ve installed Linux -- gentoo-user@gentoo.org mailing list
