[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Alternatives to LDAP

To: Dan Melomedman <dan@devonit.com>
Subject: Re: Alternatives to LDAP
From: David Wright <ichbin@shadlen.org>
Date: Sat, 27 Jul 2002 15:13:12 -0700
Cc: OpenLDAP-software@OpenLDAP.org
References: <Pine.GSO.4.33.0207261752590.18127-100000@agassiz.cs.und.edu> <20020726233420.GE2551@mail.devonit.com> <3D421972.5000204@shadlen.org> <20020727204109.GD29477@mail.devonit.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020615 Debian/1.0.0-3

wc -l /etc/pam.conf
    107 /etc/pam.conf
Also look at /etc/pam.d

My /etc/pam.conf is empty. /etc/pam.d contains exactly those short one-per-app files I mentioned.

Profiling needs to be done. For example, pam_ldap.so on RH 6.2 is about 50 kb in size.

pam_ldap is one of the largest, most complex PAM modules out there. For the services I have done profiling with, which include smtp and imap servers, authentication time is negligible in comparison to the many other things involved in establishing a connection. I know this because changing the authentication method didn't change the connections per second I could handle at all.

Wrong. pam_ldap ships with MD5 support. Just checked yesterday. It did
not when I tried to use it a year ago.

Looking though the code, I see you are right. But I know that I was using MD5 hashes with PAM nearly 2 years ago. I also know that for a long while there was a problem with the Red Hat builds (up to 7.0 I believe) that pam_ldap supported MD5 hashes but they linked to a crypto library that didn't. And I also know (see below) that you can store and use hashed passwords in LDAP without pam_ldap supporting any hashing at all.

This is ridiculous, we have a commercial (from a company which rhymes with Crisco) RADIUS server which only supports this type of LDAP authentication, and it forced us to create an LDAP entry per service per user.

What I described doesn't require this. I authenticate about 12 different services from many different servers and each user has only ONE userPassword attribute. I set access to attribute=userPassword by self write by anonymous auth by * none and pam_ldap doesn't attempt to read userPassword or any other attribute for any service. It just attempts to bind to the LDAP server using the credentials the server gives it, and if the bind succeeds, it returns success. Note that this also means all the hashing is done in OpenLDAP; pam_ldap doesn't have to support any hash at all.

But it depends on PAM.

Do it doesn't. It depends on the name service system of your OS using nss_ldap (which is not pam_ldap, even though Red Hat stupidly packages them together and compiles them to use the same configuration file; Debian, for example, does not do this). Your applications don't have to be aware of PAM or of anything else to use it. They just call getpwent as usual and the OS takes care of getting the info from whatever sources are specified in /etc/nsswitch.conf, which may include your LDAP server.

References:
- Alternatives to LDAP
  - From: Caylan Van Larson <caylan@cs.und.edu>
- Re: Alternatives to LDAP
  - From: Dan Melomedman <dan@devonit.com>
- Re: Alternatives to LDAP
  - From: David Wright <ichbin@shadlen.org>
- Re: Alternatives to LDAP
  - From: Dan Melomedman <dan@devonit.com>

Prev by Date: l_ldap_str2objectclass() and Netscape DS 4.x
Next by Date: Re: OpenLDAP 2.1.3 and Berkeley DB 4.0.14
Index(es):
- Chronological
- Thread