Re: nss-pam-ldapd, AD and binding

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Wed, 2014-05-07 at 15:17 +0200, Henrik Grindal Bakken wrote:
> What I'd like is for my pam module to bind to AD using short form
> (username@domain.com or DOMAIN\username) -- which it has -- and the
> user's password (which it has).  Further, I'd like nslcd to retrieve
> enough info at that time so it wouldn't have to look up anything else
> (otherwise how would nss later work, since the password is now lost).
> 
> In a pinch, nslcd could cache the user password, but that sounds like a
> bad idea.
> 
> Is this possible?

It would be very difficult, mostly because the NSS calls are done before
and irrespective of the user authentication. One of the first things the
PAM stack does is get the account information from the provided username
(using NSS, before the user is asked for a password).

There are also plenty of things on a system (e.g. mail servers, cron,
login managers, etc., etc.) that lookup user information that is not
related to authentication.

While having something like doing a BIND without a search to get the DN
first is doable in some environments (e.g. some web applications support
this) for a *nix system this will likely cause problems.

Furthermore, I don't know about AD access controls, but I would imagine
that a logged-in user is only able to get their own account information
and not information on all accounts in the directory. Such a BIND would
not be very useful for retrieving other information.

So while Kerberos and other solutions may be available to handle the
authentication part, the NSS part is difficult to solve without some
general access to the directory.

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/