RSS feed

RE: nss-pam-ldapd, AD and binding

[Date Prev][Date Next] [Thread Prev][Thread Next]

RE: nss-pam-ldapd, AD and binding

To *authentication* you can use Kerberos (which has the added benefit of not
transmitting passwords at all).  

For NSS/authorization I think you will need to either use SASL & GSSAPI
(certificates etc) or a LDAP proxy (as you said, a simple bind). The proxy
account info is easy to manage via the configuration management tools like
Puppet/Chef etc but then you are sending the LDAP traffic via plain text.

Jeremy Page  |   Senior Technical Architect   |  Gilbarco Veeder-Root
Office: 336 547 5399 | Cell 336 601 7274 | 24/7 On Call 336 430 5151

-----Original Message-----
From: nss-pam-ldapd-users
[ [at] lists.arthurdejong.or
g] On Behalf Of Henrik Grindal Bakken
Sent: Wednesday, May 07, 2014 9:17 AM
Subject: nss-pam-ldapd, AD and binding

Hello.  I want to set up pam+nss ldap support against an AD server
(preferably not using e.g. centrify), but I have a bit of a problem.

The AD installation in question does not allow anonymous search, so I have
to bind.  I *could* add a bind user with password and all, but this is quite
a lot of pain (I need to change the password of that user all the time, I
need passwords written down, etc, etc).

What I'd like is for my pam module to bind to AD using short form
( or DOMAIN\username) -- which it has[0] -- and the
user's password (which it has).  Further, I'd like nslcd to retrieve enough
info at that time so it wouldn't have to look up anything else (otherwise
how would nss later work, since the password is now lost).

In a pinch, nslcd could cache the user password, but that sounds like a bad

Is this possible?

[0] - It would have to be configurable how to create the shortform from
      a username, but that's a lot less configuration than a binddn and
      bindpw (perhaps not a lot less, but at least it's not a password).

Henrik Grindal Bakken <>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963  02AF 9236 D25A 8D43 6E52
To unsubscribe send an email to or see

Please be advised that this email may contain confidential 
information.  If you are not the intended recipient, please notify us 
by email by replying to the sender and delete this message.  The 
sender disclaims that the content of this email constitutes an offer 
to enter into, or the acceptance of, any agreement; provided that the 
foregoing does not invalidate the binding effect of any digital or 
other electronic reproduction of a manual signature that is included 
in any attachment.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

To unsubscribe send an email to or see