I have no previous experience with LDAP, SASL, or PAM, but I have read a whole lot of material from the net about each of these and still have some confusion. (I need to quickly create software requirements for a system to start using these….) I have a Linux-based system that needs to start authenticating user logins via LDAP. There are two types of logins that need to be supported: (1) the Linux login itself, and (2) a login from a proprietary application suite that runs in the Linux environment. The plan is to use PAM for the Linux-level logins, and to use an LDAP API to do the application-level logins (using the bind operation). I need to support two authentication mechanisms for each type of login: (1) the "simple" LDAP authentication mechanism (i.e., password sent in the clear), and (2) DIGEST-MD5 using SASL. The user account information in the LDAP server will be stored in a "posixAccount" entry.
The current plan is to use OpenLDAP and either Cyrus or GNU SASL. A PAM vendor has not been chosen yet, but I'm looking at PADL.
Having read as much as I can digest on each of these mechanisms, I still have the following questions I'm hoping someone on this list can help me with:
1) What form should the "userPassword" attribute in the "posixAccount" entry be stored in? Plain text? Will the SASL functionality at the LDAP server do the MD5 hash when DIGEST is used? Are 2 "userPassword" attributes required?
2) How should the PAM configuration be set up to allow both LDAP simple and DIGEST-MD5 authentication to be used?
3) Does RFC 3112 have any impact on these scenarios? What is the intent of this RFC relative to how SASL authentication works?
4) I see LOTS of posts on various mailing lists talking about problems getting PAM to work with SASL and LDAP. In general, can all 3 mechanisms be made to play nicely together to support both simple and DIGEST authentication for Linux logins and logins from application programs? Or are there known limitations/problems with this type of combination?
5) I have found a lot of material (HowTo's, etc.) that talk about each of these 3 technologies individually (LDAP, SASL, and PAM), but nothing that actually describes how these would be used in combination. Is there a good reference someone knows about that would discuss how to integrate these 3 things to work together?
Thanks,
gil