On Thu, 2007-07-05 at 16:57 -0600, Michael L Torrie wrote: > On Thu, 2007-07-05 at 12:45 -0600, Kenneth Burgener wrote: > > Michael L Torrie wrote: > > Correct me if I am wrong, but LDAP is simply an information storage > > service? How would I go about using LDAP to do secure encrypted > > password authentication? > > You're essentially correct. LDAP by itself isn't technically enough, > although as Dave mentioned, with SSL and TLS it's pretty secure.
I should note that the way LDAP does authentication is by performing a "bind" against the server as a particular distinguished name. So each node in LDAP can have a userpassword field (well if the schema allows) and that is used to verify the bind password. When you use pam_ldap, it basically searches LDAP for uid=<username> and then uses the returned DN as a bind DN. If your password matches the hash stored in userPassword, then the bind is successful and pam_ldap says you are in. Then the rest of the user's record in ldap is accessed normally, through anonymous, non-encrypted searches. In FC or RHEL, if you set authconfig to use both ldap and kerberos for authentication, kerberos will always be used first, falling back to ldap binds (which may or may not be secure depending if you said ldaps:// or checked TLS). /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
