On Thu, Aug 03, 2000 at 04:00:20PM -0400, Nalin Dahyabhai wrote: > > > Is this how the pam_ldap module works? I don't know if it has an 'auth' mode > > as well (perhaps there's a more secure way to authenticate against LDAP than > > by sending the password with getpwnam()). > > Yes, it does. The auth module attempts to do a simple bind to the > configured LDAP server as the user being authenticated, because a server > that's configured with the least amount of security in mind won't send > out the contents of a user's crypted password field. > Is it really more secure? Forgive me if I'm missing something here, but the effect of setting ACL which prevents anyone from reading the hashed password is that the module has to bind to the LDAP server as the user, which requires passing their password in clear text over the network, which then passes the hashed password from the directory object back. In that case, why bother hashing, except as a defense against misconfigured ACLs? Note that I'm assuming that the LDAP server is only accessible on a private LAN, where any host has access to the network for sniffing. Of course, this should be moot in a few months when OpenLDAP 2 is released with SSL/TLS support. Wil -- W. Reilly Cooley wcooley@nakedape.cc Naked Ape Consulting http://nakedape.cc LNXS: Linux/GNU for servers, networks, and http://lnxs.org people who take care of them. *Now with integrated crypto!* irc.openprojects.net #lnxs The most costly of all follies is to believe passionately in the palpably not true. It is the chief occupation of mankind. -- H.L. Mencken
