On Thu, 09 Aug 2001, [EMAIL PROTECTED] spewed into the ether:
<snip>
> PAM only needs root access if it's authenticating off /etc/shadow. Few
Fine.
> medium-to-large scale operations today distribute passwords via NIS to
> shadow files. Most, like mine, use LDAP, and you can authenticate off
> an LDAP database without being root. For a very secure setup, hash the
> passwords in the LDAP database (gives shadow-like security) and grant
> compare access to your client machines (allows them to authenticate
> without even read access).
Which means that I need to implement the encryption/hashing support in
*every* application that uses LDAP. For some, I cannot do this, I don't
have the source to hack. My only option is to bind to LDAP as the user
to authenticate (anonymous bindings are disallowed). A bigger advantage
of this is that it is supported in most applications that I need to use,
or the same code will apply, so the hacking required is less.
The operating environment can be considered hostile, and every
application runs as a dedicated user.
What I need is:
(bind)
Application ----> LDAP
If I can achieve this by storing passwords in LDAP, fine by me. lse
passwords go in sasldb, and LDAP-->SASL is required. This is why direct
LDAP support will be useful, rather than SASL-->LDAP-->SASL.
Devdas Bhagat
--
insecurity, n.:
Finding out that you've mispronounced for years one of your
favorite words.
