Re: [gentoo-user] ldap vs. pam
Am Freitag, 13. Januar 2006 21:37 schrieb ext Jose Gonzalez Gomez: BIG WARNING: Don't do this unless you're using simple bind over SSL protected connections unless you want your passwords to travel (almost?) as clear text through the network. And because of this, I'd recommend separating authentication from authorization, i.e. use LDAP to store user data WITHOUT passwords, and use Kerberos for password storage. There is only one situation where (encrypted) passwords travel over the network when using kerberos: password change. Bye... Dirk -- Dirk Heinrichs | Tel: +49 (0)162 234 3408 Configuration Manager | Fax: +49 (0)211 47068 111 Capgemini Deutschland | Mail: [EMAIL PROTECTED] Hambornerstraße 55 | Web: http://www.capgemini.com D-40472 Düsseldorf | ICQ#: 110037733 GPG Public Key C2E467BB | Keyserver: www.keyserver.net pgps3iLplvm0c.pgp Description: PGP signature
Re: [gentoo-user] ldap vs. pam
thak you all. now I really understand what about PAM and LDAP. On 1/13/06, John Jolet [EMAIL PROTECTED] wrote: On Jan 13, 2006, at 2:37 PM, Jose Gonzalez Gomez wrote: 2006/1/13, John Jolet [EMAIL PROTECTED]: On Jan 13, 2006, at 11:45 AM, Allan Spagnol Comar wrote: thanks. I believe I am starting to understand this. I was seeing that ldap can authenticate in a lot of types, like , databases, files, and PAM do some things like that too or am I wrong ? as far as I know you are wrong. ldap is an authentication mechanism. it stores usernames, passwords, and much more. LDAP is *not* an authentication mechanism. LDAP stands for Lightweight Directory Access Protocol, so LDAP is a protocol you use to access data stored in a structured way, called directory. An LDAP directory is a directory that may be accessed using LDAP. An LDAP server is a server that serves its data using LDAP. LDAP servers are used for a lot of things, and two of them may be single sign on or centralized authentication (they are different although related things). You are correct...I was attempting to highlight the distinction between a security storage mechanism (which is what I should have said) and a mechanism that does the actual authentication. To access data in a directory you may have to authenticate to access the data. This authentication can be done in several ways, and one of them is called simple bind: in this case you provide a path to locate an object in the directory and a password and the server compares the password provided with the password stored in the specified object. IIRC the PAM-LDAP module uses simple bind to authenticate an user trying to gain access to the system. This is, the PAM module takes the provided user and password and tries to authenticate itself against the LDAP server using the simple bind mechanism, translating the user into a path to locate the object representing that user in the directory. BIG WARNING: Don't do this unless you're using simple bind over SSL protected connections unless you want your passwords to travel (almost?) as clear text through the network. This MIGHT also not be a security risk if the ldap server and the service attempting to authenticate are on the same server. I usually did simple bind on the ldap server itself, and tls/ssl from all the other servers. HTH Jose -- An application asked: Requeires Windows 9x, NT4 or better, so I´ve installed Linux -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] ldap vs. pam
On Jan 14, 2006, at 4:41 PM, Allan Spagnol Comar wrote: thak you all. now I really understand what about PAM and LDAP. The upshot of all this is.if you have more than 5 computers that you want to all have the same usernames and passwords, ldap and nis, etc might be more than you need. rsyncing /etc/passwd and /etc/ shadow is probably going to be sufficient for a very small network. beyond 5 or so computers, the other methods start to earn their way. no matter what, though, pam stays in the soluution stack. On 1/13/06, John Jolet [EMAIL PROTECTED] wrote: On Jan 13, 2006, at 2:37 PM, Jose Gonzalez Gomez wrote: 2006/1/13, John Jolet [EMAIL PROTECTED]: On Jan 13, 2006, at 11:45 AM, Allan Spagnol Comar wrote: thanks. I believe I am starting to understand this. I was seeing that ldap can authenticate in a lot of types, like , databases, files, and PAM do some things like that too or am I wrong ? as far as I know you are wrong. ldap is an authentication mechanism. it stores usernames, passwords, and much more. LDAP is *not* an authentication mechanism. LDAP stands for Lightweight Directory Access Protocol, so LDAP is a protocol you use to access data stored in a structured way, called directory. An LDAP directory is a directory that may be accessed using LDAP. An LDAP server is a server that serves its data using LDAP. LDAP servers are used for a lot of things, and two of them may be single sign on or centralized authentication (they are different although related things). You are correct...I was attempting to highlight the distinction between a security storage mechanism (which is what I should have said) and a mechanism that does the actual authentication. To access data in a directory you may have to authenticate to access the data. This authentication can be done in several ways, and one of them is called simple bind: in this case you provide a path to locate an object in the directory and a password and the server compares the password provided with the password stored in the specified object. IIRC the PAM- LDAP module uses simple bind to authenticate an user trying to gain access to the system. This is, the PAM module takes the provided user and password and tries to authenticate itself against the LDAP server using the simple bind mechanism, translating the user into a path to locate the object representing that user in the directory. BIG WARNING: Don't do this unless you're using simple bind over SSL protected connections unless you want your passwords to travel (almost?) as clear text through the network. This MIGHT also not be a security risk if the ldap server and the service attempting to authenticate are on the same server. I usually did simple bind on the ldap server itself, and tls/ssl from all the other servers. HTH Jose -- An application asked: Requeires Windows 9x, NT4 or better, so I´ve installed Linux -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
[gentoo-user] ldap vs. pam
Hi, I don´t know if this is a valid question, or I am making a big mess, but I was wondering witch autentication method is better, ldap or pam. I would like to know too if is possible to use bouth. thanks. -- An application asked: Requeires Windows 9x, NT4 or better, so I´ve installed Linux -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] ldap vs. pam
On Jan 13, 2006, at 11:03 AM, Allan Spagnol Comar wrote: Hi, I don´t know if this is a valid question, or I am making a big mess, but I was wondering witch autentication method is better, ldap or pam. I would like to know too if is possible to use bouth. ldap is one of the methods that can (p)lug in to pam (pluggable authentication method...) thanks. -- An application asked: Requeires Windows 9x, NT4 or better, so I´ve installed Linux -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] ldap vs. pam
thanks. I believe I am starting to understand this. I was seeing that ldap can authenticate in a lot of types, like , databases, files, and PAM do some things like that too or am I wrong ? On 1/13/06, John Jolet [EMAIL PROTECTED] wrote: On Jan 13, 2006, at 11:03 AM, Allan Spagnol Comar wrote: Hi, I don´t know if this is a valid question, or I am making a big mess, but I was wondering witch autentication method is better, ldap or pam. I would like to know too if is possible to use bouth. ldap is one of the methods that can (p)lug in to pam (pluggable authentication method...) thanks. -- An application asked: Requeires Windows 9x, NT4 or better, so I´ve installed Linux -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list -- An application asked: Requeires Windows 9x, NT4 or better, so I´ve installed Linux -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] ldap vs. pam
On 13 Jan 2006, at 17:45, Allan Spagnol Comar wrote: thanks. I believe I am starting to understand this. I was seeing that ldap can authenticate in a lot of types, like , databases, files, and PAM do some things like that too or am I wrong ? Yes, pretty much. But they're often structured at different layers - a service might call PAM for authentication which might then call LDAP, I think. PAM allows you to specify multiple authentication sources - such as / etc/passwd, other flat-file, or perhaps using WinBind to talk to a Windows Domain Controller. PAM is extremely flexible in managing these sources - I think, for example, it could require the username to be in one source but then authenticate the username:password against another source, or it can allow a user to log in via any one of multiple authentication mechanisms. LDAP authentication allows your users to login against a centralised database - the service they're logging into authenticates against the LDAP server. I don't really know much about LDAP and how it's managed but it offers centralised single-signon that PAM alone can't offer (although PAM could certainly be a _part_ of that). Stroller. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] ldap vs. pam
On Jan 13, 2006, at 11:45 AM, Allan Spagnol Comar wrote: thanks. I believe I am starting to understand this. I was seeing that ldap can authenticate in a lot of types, like , databases, files, and PAM do some things like that too or am I wrong ? as far as I know you are wrong. ldap is an authentication mechanism. it stores usernames, passwords, and much more. hopefully, i'll not screw up this explanation. You sit down to your computeryou see the login prompt. You type username, it asks for a password. you give it one. it (the getty program) then passes those credentials to pam. pam looks in it's list of authentication mechanisms to see in what order you'd like to try to authenticate. say it's ldap, then nis, then shadow. so it does a query to ldap using your username as a key to retrieve your encrypted password. it then compares what returns (assuming you are in the ldap db) with the encrypted form of what you typed. If it matches, pam checks to see if that's simply a required authentication, or a sufficient authentication. it is possible with pan to require more than one test be passed before saying okay. if more tests are required, or you don't pass that test, pam goes down it's list of other methods. typically, for instance, root is only in shadow NOT in ldap. so usually, users are allowed to fail the ldap (or nis) and be checked against shadow. usually, though, shadow is the authentication method of last resort. so pam is a framework into which multiple authentication methods can snap. On 1/13/06, John Jolet [EMAIL PROTECTED] wrote: On Jan 13, 2006, at 11:03 AM, Allan Spagnol Comar wrote: Hi, I don´t know if this is a valid question, or I am making a big mess, but I was wondering witch autentication method is better, ldap or pam. I would like to know too if is possible to use bouth. ldap is one of the methods that can (p)lug in to pam (pluggable authentication method...) thanks. -- An application asked: Requeires Windows 9x, NT4 or better, so I´ve installed Linux -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list -- An application asked: Requeires Windows 9x, NT4 or better, so I´ve installed Linux -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] ldap vs. pam
2006/1/13, John Jolet [EMAIL PROTECTED]: On Jan 13, 2006, at 11:45 AM, Allan Spagnol Comar wrote: thanks. I believe I am starting to understand this. I was seeing that ldap can authenticate in a lot of types, like , databases, files, and PAM do some things like that too or am I wrong ?as far as I know you are wrong.ldap is an authenticationmechanism.it stores usernames, passwords, and much more. LDAP is *not* an authentication mechanism. LDAP stands for Lightweight Directory Access Protocol, so LDAP is a protocol you use to access data stored in a structured way, called directory. An LDAP directory is a directory that may be accessed using LDAP. An LDAP server is a server that serves its data using LDAP. LDAP servers are used for a lot of things, and two of them may be single sign on or centralized authentication (they are different although related things). To access data in a directory you may have to authenticate to access the data. This authentication can be done in several ways, and one of them is called simple bind: in this case you provide a path to locate an object in the directory and a password and the server compares the password provided with the password stored in the specified object. IIRC the PAM-LDAP module uses simple bind to authenticate an user trying to gain access to the system. This is, the PAM module takes the provided user and password and tries to authenticate itself against the LDAP server using the simple bind mechanism, translating the user into a path to locate the object representing that user in the directory. BIG WARNING: Don't do this unless you're using simple bind over SSL protected connections unless you want your passwords to travel (almost?) as clear text through the network. HTH Jose
Re: [gentoo-user] ldap vs. pam
On Jan 13, 2006, at 2:37 PM, Jose Gonzalez Gomez wrote:2006/1/13, John Jolet [EMAIL PROTECTED]: On Jan 13, 2006, at 11:45 AM, Allan Spagnol Comar wrote: thanks. I believe I am starting to understand this. I was seeing that ldap can authenticate in a lot of types, like , databases, files, and PAM do some things like that too or am I wrong ?as far as I know you are wrong. ldap is an authenticationmechanism. it stores usernames, passwords, and much more. LDAP is *not* an authentication mechanism. LDAP stands for Lightweight Directory Access Protocol, so LDAP is a protocol you use to access data stored in a structured way, called directory. An LDAP directory is a directory that may be accessed using LDAP. An LDAP server is a server that serves its data using LDAP. LDAP servers are used for a lot of things, and two of them may be single sign on or centralized authentication (they are different although related things).You are correct...I was attempting to highlight the distinction between a security storage mechanism (which is what I should have said) and a mechanism that does the actual authentication. To access data in a directory you may have to authenticate to access the data. This authentication can be done in several ways, and one of them is called simple bind: in this case you provide a path to locate an object in the directory and a password and the server "compares" the password provided with the password stored in the specified object. IIRC the PAM-LDAP module uses simple bind to authenticate an user trying to gain access to the system. This is, the PAM module takes the provided user and password and tries to authenticate itself against the LDAP server using the simple bind mechanism, translating the user into a path to locate the object representing that user in the directory. BIG WARNING: Don't do this unless you're using simple bind over SSL protected connections unless you want your passwords to travel (almost?) as clear text through the network. This MIGHT also not be a security risk if the ldap server and the service attempting to authenticate are on the same server. I usually did simple bind on the ldap server itself, and tls/ssl from all the other servers. HTH Jose