Geiman Gilbert-GGEIMAN1 wrote:
I have no previous experience with LDAP, SASL, or PAM, but I have read a
whole lot of material from the net about each of these and still have
some confusion. (I need to quickly create software requirements for a
system to start using these….) I have a Linux-based system that needs
to start authenticating user logins via LDAP. There are two types of
logins that need to be supported: (1) the Linux login itself, and (2) a
login from a proprietary application suite that runs in the Linux
environment. The plan is to use PAM for the Linux-level logins, and to
use an LDAP API to do the application-level logins (using the bind
operation). I need to support two authentication mechanisms for each
type of login: (1) the "simple" LDAP authentication mechanism (i.e.,
password sent in the clear), and (2) DIGEST-MD5 using SASL. The user
account information in the LDAP server will be stored in a
"posixAccount" entry.
First question: Why do you need to support both Simple and SASL Binds?
The current plan is to use OpenLDAP and either Cyrus or GNU SASL. A PAM
vendor has not been chosen yet, but I'm looking at PADL.
Having read as much as I can digest on each of these mechanisms, I still
have the following questions I'm hoping someone on this list can help me
with:
1) What form should the "userPassword" attribute in the "posixAccount"
entry be stored in? Plain text? Will the SASL functionality at the
LDAP server do the MD5 hash when DIGEST is used? Are 2 "userPassword"
attributes required?
Your question seems to assume that SASL will use LDAP for its password
store. That's probably a smart thing to do, but it is not the default
behavior for SASL. But yes, if you're going to configure SASL to
retrieve its secrets from LDAP, then you must configure LDAP to store
userPassword's in plain text.
2) How should the PAM configuration be set up to allow both LDAP simple
and DIGEST-MD5 authentication to be used?
pam_ldap only uses one type of Bind. There is no reason to configure
pam_ldap to support both at once.
3) Does RFC 3112 have any impact on these scenarios? What is the intent
of this RFC relative to how SASL authentication works?
I know of no LDAP servers that implement this RFC. I would say it has no
impact today.
4) I see LOTS of posts on various mailing lists talking about problems
getting PAM to work with SASL and LDAP. In general, can all 3
mechanisms be made to play nicely together to support both simple and
DIGEST authentication for Linux logins and logins from application
programs? Or are there known limitations/problems with this type of
combination?
Again, the requirement to support both Simple and SASL binds in pam_ldap
makes no sense. Just configure pam_ldap to use SASL and forget about
Simple binds.
5) I have found a lot of material (HowTo's, etc.) that talk about each
of these 3 technologies individually (LDAP, SASL, and PAM), but nothing
that actually describes how these would be used in combination. Is
there a good reference someone knows about that would discuss how to
integrate these 3 things to work together?
The intersection of these three topics is very tiny. pam_ldap uses
libldap. If libldap was built with SASL support, pam_ldap can be
configured to use it, end of story. Since pam_ldap is just an LDAP
client, there's very little to do here.
On the server side, setting up LDAP with SASL may be slightly more
involved, but PAM is not part of the picture at all. On the OpenLDAP
side, you just need to add appropriate authz-regexp's in slapd.conf to
map SASL user IDs to LDAP DNs. If you're storing SASL secrets in LDAP
and using other SASL-enabled servers, you will also need to configure
them to use the ldapdb auxprop. Both of these are simple steps, already
covered in the respective packages' documentation.
Thanks,
gil
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
