RSS feed

Re: nss-pam-ldapd, AD and binding

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nss-pam-ldapd, AD and binding

On Wed, 2014-05-07 at 19:05 +0200, Arthur de Jong wrote:
> On Wed, 2014-05-07 at 15:17 +0200, Henrik Grindal Bakken wrote:
> > What I'd like is for my pam module to bind to AD using short form
> > ( or DOMAIN\username) -- which it has -- and the
> > user's password (which it has).  Further, I'd like nslcd to retrieve
> > enough info at that time so it wouldn't have to look up anything else
> > (otherwise how would nss later work, since the password is now lost).
> > 
> > In a pinch, nslcd could cache the user password, but that sounds like a
> > bad idea.
> > 
> > Is this possible?
> It would be very difficult, mostly because the NSS calls are done before
> and irrespective of the user authentication. One of the first things the
> PAM stack does is get the account information from the provided username
> (using NSS, before the user is asked for a password).
> There are also plenty of things on a system (e.g. mail servers, cron,
> login managers, etc., etc.) that lookup user information that is not
> related to authentication.
> While having something like doing a BIND without a search to get the DN
> first is doable in some environments (e.g. some web applications support
> this) for a *nix system this will likely cause problems.
> Furthermore, I don't know about AD access controls, but I would imagine
> that a logged-in user is only able to get their own account information
> and not information on all accounts in the directory. Such a BIND would
> not be very useful for retrieving other information.
> So while Kerberos and other solutions may be available to handle the
> authentication part, the NSS part is difficult to solve without some
> general access to the directory.
> Hope this helps,
Join the domain, extract a keytab, kinit -kt using e.g. the machine key
just before nslcd starts? You can then access whatever you like until
the ticket expires. k5start or cron to renew the ticket if need be. For
base dc=your,dc=domain,dc=base
map    passwd uid              samAccountName
map    passwd homeDirectory    unixHomeDirectory
sasl_mech GSSAPI
sasl_realm YOUR.REALM
krb5_ccname /path/to/ticket/cache

Just a thought.

To unsubscribe send an email to or see