Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
13.  Basic Components and Concepts (Overview) LDAP Naming Service Security Model Choosing Authentication Methods  Previous   Contents   Next 
   
 

Authentication and Services

The authentication method can be specified for a given service in the serviceAuthenticationMethod attribute. The following services currently support this.

  • passwd-cmd

    This service is used by passwd(1) to change the login password and password attributes.

  • keyserv

    This service is used by the chkey(1) and newkey(1M) utilities to create and change a user's Diffie-Hellman key pair.

  • pam_ldap

    This service is used for authenticating users with pam_ldap.


Note - If the service does not have a serviceAuthenticationMethod set, it will default to the value of the authenticationMethod attribute.


The following example shows a section of a client profile in which the users will use sasl/digest-MD5 to authenticate to the directory server, but will use an SSL session to change their password.
serviceAuthenticationMethod=pam_ldap:sasl/digest-MD5
serviceAuthenticationMethod=passwd-cmd:tls:simple

Pluggable Authentication Methods

By using the PAM framework, you can choose among several authentication services. You can use either pam_unix or pam_ldap in conjunction with LDAP.

Because of its increased flexibility and support of stronger authentication methods, the use of pam_ldap is recommended.

pam_unix

If you have not changed the pam.conf(4) file, pam_unix is enabled by default. pam_unix follows the traditional model of UNIX authentication, which means that

  1. The client retrieves the user's encrypted password from the name service.

  2. The user is prompted for his password.

  3. The user's password is encrypted.

  4. The client compares the two encrypted passwords to determine if the user should be authenticated or not.

Additionally, there are two restrictions when using pam_unix.
  • The password must be stored in UNIX crypt format and not in any other encryption methods, including clear.

  • The userPassword attribute must be readable by the name service.

    For example, if you set the credential level to anonymous, then anyone must be able to read the userPassword attribute. Similarly, If you set the credential level to proxy, then the proxy user must be able to read the userPassword attribute.


Note - pam_unix is not compatible with sasl authentication method digest-MD5, since the iPlanet Directory Server 5.1 requires passwords to be stored in the clear in order to use digest-MD5, but pam_unix requires the password be stored in crypt format.


pam_ldap

When using pam_ldap, the user binds to the LDAP server. The authentication method is defined in pam_ldap's serviceAuthenticationMethod parameter if one exists. Otherwise, the authenticationMethod is used by default.

If pam_ldap is able to bind to the server with the user's identity and supplied password, it authenticates the user.

pam_ldap does not read the userPassword attribute. Therefore, there is no need to grant access to read the userPassword attribute unless there are other clients using pam_unix. pam_ldap does not support the none authentication method. Thus, you must define the serviceAuthenticationMethod or the authenticationMethod attributes in order for clients to use pam_ldap.


Caution - If the simple authentication method is used, the userPassword attribute can be read on the wire by third parties.


See "An example pam.conf file for pam_ldap".

PAM and Changing Passwords

Use the passwd(1) to change a password. In order to change the password, the userPassword attribute must be writeable by the user. Remember that the serviceAuthenticationMethod for passwd-cmd will override the authenticationMethod for this operation. Depending on the authentication used, the current password might be un-encrypted on the wire.

In the case of pam_unix the new userPassword attribute is encrypted using UNIX crypt and tagged before being written to LDAP. Therefore, the new password is encrypted on the wire, regardless of the authentication method used to bind to the server.

For pam_ldap, when a password is changed, the new password is un-encrypted. Therefore, to insure privacy, you need to use TLS. If TLS is not used, the new userPassword will be subject to snooping.

When setting the password with pam_ldap with the iPlanet Directory Server 5.1, the password is encrypted using the serverStrorageScheme (as it is untagged). See "User Account Management" in the iPlanet Directory Server 5.1 Administrator's Guide for additional information about the passwordStorageScheme attribute.


Note - You need to consider the following when setting the passwordStorageScheme attribute. If a NIS, NIS+, or another client using pam_unix is using LDAP as a repository, then passwordStorageScheme needs to be crypt. Also, if using pam_ldap with sasl/digest-MD5 with the iPlanet Directory Server 5.1, passwrodStorageScheme must be set to clear.


Password Management

Solaris LDAP naming services does not currently support the password management features in iPlanet Directory Server 5.1.

 
 
 
  Previous   Contents   Next