Subj : Linux and pam_ldap (LDAP bind instead of search request) To : comp.os.linux,comp.os.linux.security From : bnies Date : Tue Jun 22 2004 09:16 am Hi, How can one authenticate on Linux using LDAP bind instead of search requests? By default a SuSE Linux 9.0 LDAP client uses pam_unix2.so with the "use_ldap" option in /etc/security/pam_unix2.conf. This configuration does a search request on the LDAP server to fetch the user's crypt userPassword attribute and compares that password with the encrypted password he entered. Solaris offers the option to use another LDAP authentication method: The client issues a LDAP bind request on the server with the user's credentials. This is better because then the password on the LDAP server can be stored with a stronger encryption (SSHA), the passwords on the LDAP server must not be readable by the client and account lockout can be controlled by a LDAP policy on the server. Sample Solaris /etc/pam.conf: ----------------------------- login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_dial_auth.so.1 login auth binding pam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 How can this be done on Linux? I tried the pam_ldap.so module with the examples from /usr/share/doc/packages/pam_ldap and authentication works ... but still using the search request method. SuSE Linux 9.0 /etc/ldap.conf: ------------------------------ host 192.168.5.216 192.168.1.216 192.168.4.216 192.168.6.216 base o=company,c=ch ldap_version 3 #ssl start_tls ssl no ### Bind DN for search requests binddn cn=proxyagent,ou=special_users,o=company,c=ch bindpw mypassword ### NSS search bases nss_base_passwd ou=people,o=company,c=ch nss_base_shadow ou=people,o=company,c=ch nss_base_group ou=group,o=company,c=ch nss_base_hosts ou=hosts,o=company,c=ch nss_base_services ou=services,o=adnovum,c=ch scope one SuSE Linux 9.0 /etc/pam.d/sshd: ------------------------------- auth required pam_nologin.so auth sufficient pam_ldap.so auth required pam_unix2.so use_first_pass # set_secrpc account required pam_unix2.so password required pam_pwcheck.so password required pam_ldap.so use_authtok password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so session required pam_limits.so session required pam_env.so session optional pam_mail.so Thanks in advance for help. Regards, Bernd .