Re: Regarding password validation bypass

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: Mohamed Hussain <pshussain [at] gmail.com>, nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Regarding password validation bypass
Date: Fri, 14 Apr 2023 16:09:05 +0200

On Fri, 2023-04-14 at 01:35 +0530, Mohamed Hussain wrote:
> I am working on nslcd with pam_ldap for authentication to VM. I am
> implementing decentralized identity to bypass password based
> authentication. In that, I am seeing nslcd is validating the password
> even though the user exists in the ldap server by ldap search
> operation. Is there any way to bypass password authentication while
> ldap search results send the NSLCD_SUCCESS response code. Please let
> me know.

Authentication and identity management are separate things.
Authentication is done through PAM and the PAM stack determines how
authentication is doen (passwords, Kerberos, etc.). User identification
goes through NSS (nss-pam-ldapd provides both an NSS module and a PAM
module).

If you only need the user to exist in NSS and you do not want any
further authentication you may want to look at the pam_permit module.
However, be warned that you should test this very carefully to not
accidentally allow access by untrusted parties (this depends on your
security model).

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

Regarding password validation bypass, Mohamed Hussain
- Re: Regarding password validation bypass, Arthur de Jong

Prev by Date: Regarding password validation bypass
Next by Date: making some settings in nscld DN dependent
Previous by thread: Regarding password validation bypass
Next by thread: making some settings in nscld DN dependent