Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
Re: [suse-security] LDAP authorisation?
  • From: Ørnulf Nielsen <on@xxxxxxxxx>
  • Date: Fri, 09 Feb 2001 16:36:57 +0100
  • Message-id: <3A840E99.9A741507@xxxxxxxxx>
> this is just an idea. We plan to set up some LDAP directory as
> addressbook. Maybe it's possible to make user authorisations via
> LDAP. I think I've heard abount a "pam_ldap" module. For linux
> this could work. Maybe there's some solution for Windows, too,
> maybe samba or Win2K.
>
> Can (Open-) LDAP be used as YP replacement? When useing MD5
> hashes (shouldn't be a problem, I guess) it would be more secure
> than YP.

LDAP use SASL, and SASL supports the following mechanisms:
ANONYMOUS
CRAM-MD5
DIGEST-MD5
GSSAPI (MIT Kerberos 5 or Heimdal Kerberos 5)
KERBEROS_V4
PLAIN

you can also tell SASL to use pam.

> Does anybody tried such things in practise? Is it stable or
> experimental stuff only? Is LDAP itself maybe a security problem?

All LDAP requests may be encrypted using SSL, so it shouldn't be a
problem.

Check out
http://www.mi.infn.it/~lobiondo/ldapnis.pdf

Further questions (bout' setup) should be posted to the OpenLDAP
mailinglist or PADL's mailinglist (pam_ldap).

--
Ørnulf Nielsen

< Previous Next >
References