Unless otherwise noted, articles © 2005-2008 Doug Spencer, SecurityBulletins.com. Linking to articles is welcomed. Articles on this site are general information and are NOT GUARANTEED to work for your specific needs. I offer paid professional consulting services and will be happy to develop custom solutions for your specific needs. View the consulting page for more information.
LDAP
From SecurityBulletins.com
Contents |
Introduction to LDAP Authentication
Written by Doug Spencer - 2/2007 - draft
Introducing LDAP
LDAP provides a centralized repository for information. It can also provide authentication services using pam_ldap.so on UNIX systems. There are a few derivatives of pam_ldap, but in general most pam_ldap implementations will actually attempt to login to the directory as the specified user to verify identity.
Normally username and password information is sent as cleartext in an LDAP authentication system when using the "simple" method, so it is critical to also implement SSL (Secure Sockets Layer) or TLS (Transport Layer Security) to encrypt traffic between the LDAP client and server. Failure to do so could result in passwords being sniffed off the wire or over the air in the case of wireless networks.
LDAP authentication on UNIX Systems
When using LDAP to authenticate UNIX systems, the directory object containing the user information needs a couple of settings. First, you need to have the posixAccount objectclass. The posixAccount oc will allow you to specify the various fields normally held in /etc/passwd, such as UID, GID, Full Name and gecos information.
Under Solaris, the included pam_ldap is a bit different from the normal PADL pam_ldap used on many Linux systems. Solaris pam_ldap gets its settings from /var/ldap/ldap_client_file and its authentication from /var/ldap/ldap_client_cred. The Solaris pam_ldap also requires a proxy account that it uses to connect to the LDAP directory. This is simply an account with a password that had the "proxy" aci activated. In my implementation, I found that only having the proxy aci activated was sufficient for the Solaris pam_ldap to work. Additionally, under Solaris a Virtual List View (VLV) is a requirement. Many LDAP servers don't configure VLV access by default, so an aci needs to be configured to allow it.
With the PADL pam_ldap, a proxy user is NOT a requirement. The pam module simply attempts to login to the directory server as the user that is being authenticated. If successful, the user is allowed. Configuration of the PADL module is done through /etc/ldap.conf in most UNIX implementations. The ldap.conf configuration file is fairly flexible in its usage.
In most UNIX systems, a nss_ldap is used for name services. This does lookups for user information, automounter maps, hosts, network information, netgroups, and many other directories that are traditionally stored in files or NIS. It is separate from, but symbiotic with pam_ldap.
LDAP Servers
Fedora Directory Server, which is a Netscape Directory Server, is a free, fairly flexible directory server. It allows multi-master replication with up to 4 master nodes. This provides a good platform to create a redundant, fault tolerant directory for your infrastructure. Drawbacks I have found with Fedora Directory Server is that it is not entirely open source, presenting an issue if you are not using a supported platform. It is also somewhat strict on its allowed schema versus OpenLDAP. Fedora Directory Server does provide a reasonably good administration tool.
OpenLDAP is the LDAP server normally thought of when open source LDAP is considered. It does not presently have the replication and administration tools of Fedora Directory Server. It does have thriving community support.
