File: README

package info (click to toggle)
libpam-ldap 43-2
  • links: PTS
  • area: main
  • in suites: potato
  • size: 300 kB
  • ctags: 105
  • sloc: ansic: 1,830; makefile: 40
file content (83 lines) | stat: -rw-r--r-- 2,625 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

This is yet another pam_ldap module. 

The advantages of this particular version are:

   o Support for changing passwords in LDAP

   o Support for the V3 client API and protocol (to minimize
     rebinds)

   o Support for Netscape's SSL API (untested as of yet)

   o Compatibility with the nss_ldap configuration file format

   o Supports ypldapd LDAP locator for plug-and-play installation

   o Supports Netscape Directory Server password policies and
     password expiration controls

   o Supports access authorization on the "host" attribute of the
     account objectclass, and on group membership

   o Supports generating crypted hashes locally for use with
     OpenLDAP and other University of Michigan derived LDAP 
     servers

   o Bundled with Debian (Potato) and RedHat (Rawhide)
     distributions.

The module builds under both Linux 2.x and Solaris 2.6.

Thanks to fellow Aussie Chris Albone who wrote the initial
pam_ldap_auth module.

I've tested this with Netscape Directory Server 3.1 under NT and
Solaris, the University of Michigan LDAP server, and Microsoft's
Exchange Server.

pam_ldap is only secure if used with a secure SASL mechanism (like
CRAM-MD5) or with transport security (like SSL/TLS). With simple
authentication, it is less secure than using UNIX hashed passwords,
because the LDAP bind request sends the password in the clear.

Here are some possible deployment scenarios:

   o pam_ldap with account information in /etc flat files,
     kept manually in sync with LDAP

   o pam_ldap with account information in LDAP, using 
     nss_ldap

   o pam_ldap with account information in NIS, using
     ypldapd

Don't forget to ensure that pam_ldap's link dependencies are
satisfied after installation (you can verify this by doing
ldd /usr/lib/security/pam_ldap.so.1). You must ensure that
any libraries that it depends on (such as the LDAP client
library) can be located by the dynamic linker. Otherwise,
libpam may fail to load the pam_ldap module.

FAQ: Where is ldap_ssl.h? It's in the Netscape LDAP
C SDK. Download it from developer.netscape.com. If you
don't want to use SSL, removed -DSSL from CFLAGS. I
don't have any experience building with the SSL/TLS
support in OpenLDAP.

To discuss pam_ldap and related technologies, you may
subscribe to the following mailing list:    

        <URL:mailto:ldap-nis-request@padl.com>

Send an electronic mail message with "subscribe" in the
message body to join the list.

Note that PADL now offer commercial support on a
per-incident basis.      

--
[ PADL Software Pty Ltd ]
Email: support@padl.com
Internet: http://www.padl.com