On Thursday, 02/05/2009 at 02:51 EST, Rich Smrcina <[email protected]> wrote: > It's a good thing he obfuscated his password then... :) > > Careful you'll incite a riot about LDAP being insecure! If anyone is worried, > implement LDAP over SSL.
When authenticating with LDAP, PAM must perform an ldap search for a dn for which (in this specific case) the racfid attribute has the value of the entered Linux user name. To perform this search, PAM will bind (authenticate) to the LDAP server using binddn/bindpw. As Patrick has pointed out, DO NOT USE THE adminDN FOR THIS PURPOSE! PAM is not an LDAP administrator and does not require adminDN's privileges. adminDN is far too powerful. PAM needs only to be able to search for a dn that has <pam_login_attribute> := <Linux_login_user_name>. So follow Rich's illustration of how to create another user, but I recommend NOT making that id the adminDN. Instead, create an an aclEntry in the LDAP server to restrict what cn=RemotePAM (e.g.) can do. E.g. they can read a dn and specify the filter "racfid". (Too bad PAM LDAP doesn't support anonymous requests (no bind). If the LDAP server is configured to allow anonymous requests, they are implicitly associated with cn=Anybody, and you set up an ACL to control it. Alan Altmark z/VM Development IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
