[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    Re: [pamldap] ldap.conf file
From:       Erich Schneider <erich () caltech ! edu>
Date:       2001-10-26 17:50:37
[Download RAW message or body]

Craig Hancock writes:
>hello all I have some questions about the ldap.conf file that is shipped
>with the pamldap package.

You seem to be working in an nss_ldap situation. I am familiar only
with pam_ldap, so I can only answer from that perspective.

>1) The line that has 
>host 127.0.0.1
>and  
>uri ldap://127.0.0.1
>
>WHat option takes precedence. and can a second uri be used if the first
>uri address in unavaiable or for loadbalancing through the timelimit
>option, idle_timelimit option or, another option for that matter

Precedence:

If your LDAP library has "ldapssl_init" and SSL is turned on, 
  "host:port" is used in call to "ldapssl_init".
Else, if your LDAP library has "ldap_initialize", and uri is set, 
  uri is used for the ldap_initialize call
else, if your LDAP library has "ldap_init", ldap_init is called with host:port
else, ldap_open is called with host:port

You cannot use multiple URIs in pam_ldap.

>2) What is the difference between binddn and rootbinddn?
>
>>From my understanding it is any user that needs to the euid 
>and this account is consulted over the defaulbind dn

If rootbinddn is specified, binds to the LDAP server for all "anonymous"
connections and for the connection made to do a password change use
that DN *if* the process is running as uid 0.

If it is set, the binddn is used for all "anonymous" binds to the LDAP
server; otherwise, the binds will be truly anonymous.

If no rootbinddn is set, all password changes require entry of the old
password (and the process binds to the LDAP server using the user's DN
to make the change).

>3) What is the pam_lookup_policy

If pam_lookup_policy is set to yes, then during a password change, the
process will ask the LDAP server for for an object with objectclass
"passwordPolicy", and if it finds it, asks for that object's
attributes "passwordMaxFailure" and "passwordMinLength", which are
used to control how many times you can blow entering the old password
correctly or entering a valid new password, and the minimum length of
a password, respectively. These default to "3" and "6"

>4) What is the pam_login_attribute
>I presume the application that is trying to autenticate
>chooses the identifier string of the user

pam_ldap searches for an object whose pam_login_attribute is the
entered username and assumes that's the object representing the
specified user. It defaults to "uid".

>5) Is pam_filter for restricing access based on attributes or
>objectclasses

Since objectclass is an attribute, it can restrict access based on both.

>6) Is pam_groupdn used to force everyones default UNIX group to what is 
>specified in the ldap.conf file. If not what does it do.

pam_groupdn is another way to restrict logins and is used in the
"account management" phase of authentication. If pam_groupdn is set,
the user's DN must be a value of the "pam_member_attribute" attribute
of the object specified by pam_groupdn. pam_groupdn defaults to NULL,
and pam_member_attribute defaults to "uniquemember". 

>7) What is pam_login_attribute, pam_template_login_attribute,
>pam_template_login

See answer 4 for pam_login_attribute.

If the user's object has the pam_template_login_attribute, then the
PAM_USER item in the PAM handle is set to its value during the
authenticate phase. If object lacks that attribute, PAM_USER is set to
the value of the pam_template_login item. Both of these default to
NULL, indicating PAM_USER is not set at all.

The "template" options are used only on those systems where the
setting of the PAM_USER item during the "authenticate" phase is
relevant. 

>8) If pam_password is set to clear does that mean that all applications
>that have to consult the nss_ldap library that input in clear text if
>clear is specfied. Also is recommended that the directory server will 
>hash the password so what are the other options that can be used besides
>clear.

Setting pam_password to "clear" means the password will be stored in
clear text in the directory. Other options are "crypt" (Unix passwd
file style storage of password), "md5" (store as MD5 hash suitable for
CRAM-MD5 or DIGEST-MD5 authentication), "ad" (Active Directory style
storage), "nds" (N? Directory Server style storage), "exop" (OpenLDAP
password change extended operation).

>9) In order to change your password does the pam_password exop 
>extention need to be enabled I presume that as long as the entry
>who is autentication as access to compare and read that should be enough.

You don't need to use the password change extended operation. If you
don't, password changes will cause the process to bind to the LDAP
server as the user (using the old password) and then set the
userPassword attribute using the specified password scheme as applied
to the new password.

>10) Can you only have one pam_password value.

Yes.

>11) What are the nss_base options for. And I do mean all of them

As I am only familiar with pam_ldap I can only definitively answer for
nss_base_passwd, but I suspect things extrapolate. nss_base_foo
specifies both the root object for searches when searching for values
associated with keys in the database "foo". "man nsswitch.conf" for
more details about what databases are used when. The values of the
nss_base_foo config options have the form "dn?spec", where dn is a DN
and spec is one of "sub", "one", or "base", which indicates how deep
the search will go relative to the DN (an subobject, a subobject one
level down, or the root object only).

>12) the attribute/objectclass mappings. Are these objectclass and
>attributes that exist outside of your directory schemea and you want to
>taylor certain attributes and objectclass per host?

I can't answer this, not having used nss_ldap.

>13) I can't seem to find documentation on the ssl options that are
>avaiable in the ldap.conf file. Does anyone know what they are.

"ssl" can be set to "on" or "yes" to specify regular SSL (i.e.
connecting to a dedicated SSL over LDAP port) or "start_tls" to specify use of
STARTTLS (connect to the regular LDAP port, then switch to encrypted
mode after negotiation).

"sslpath" is used to specify the location of the "cert7.db" file,
required if you are using the Netscape LDAP SDK. The certificate info
for the LDAP server must be in that cert7.db file.

I believe the meanings of the tls_ options are as follows:

"tls_checkpeer" being set to "on", "yes", or "true" indicates that you
want to check whether the server's certificate is signed by a valid
certificate authority when using TLS. "tls_cacertfile" and
"tls_cacertdir" are used to control this process. "tls_ciphers" is
used to specify what ciphers the client will offer to use during the
TLS negotiations. "tls_cert" points to the client's certificate in
case the server requires that for connection.

If someone wants to put any of this in actual documentation somewhere,
go ahead. I answered these questions by examining pam_ldap.c.

Also, if any of these answers are wrong, corrections are welcome.

-- 
Erich Schneider  erich@caltech.edu  Caltech Information Technology Services

[prev in list] [next in list] [prev in thread] [next in thread]