1 2This is yet another pam_ldap module. 3 4The advantages of this particular version are: 5 6 o Support for changing passwords in LDAP, optionally 7 with NDS or Active Directory servers 8 9 o Support for the V3 client API and protocol (to minimize 10 rebinds) 11 12 o Support for Netscape's SSL API and proprietary extensions 13 14 o Compatibility with the nss_ldap configuration file format 15 and POSIX configuration profile semantics 16 17 o Supports ypldapd LDAP locator for plug-and-play installation 18 19 o Supports Netscape Directory Server 3.x password policies and 20 password expiration controls 21 22 o Supports access authorization on the "host" attribute of the 23 account objectclass, and on group membership 24 25 o Supports generating crypted hashes locally for use with 26 OpenLDAP and other University of Michigan derived LDAP 27 servers 28 29 o Bundled with Debian (Potato) and RedHat (Rawhide) 30 distributions. 31 32The module builds under both Linux 2.x and Solaris 2.x (see note below 33regarding Solaris 7 - aka Solaris 2.7 - and above). NOTE - you MUST 34use GNU Make (Solaris Make will not work). 35 36Thanks to fellow Aussie Chris Albone who wrote the initial 37pam_ldap_auth module. 38 39I am indebted to Doug Nazar for his contributions to 40this software. 41 42I've tested this with Netscape Directory Server 3.1 under NT and 43Solaris, the University of Michigan LDAP server, and Microsoft's 44Exchange Server. 45 46pam_ldap is only secure if used with a secure SASL mechanism (like 47CRAM-MD5) or with transport security (like SSL/TLS). With simple 48authentication, it is less secure than using UNIX hashed passwords, 49because the LDAP bind request sends the password in the clear. 50 51Here are some possible deployment scenarios: 52 53 o pam_ldap with account information in /etc flat files, 54 kept manually in sync with LDAP 55 56 o pam_ldap with account information in LDAP, using 57 nss_ldap 58 59 o pam_ldap with account information in NIS, using 60 ypldapd 61 62FAQS 63==== 64 65Don't forget to ensure that pam_ldap's link dependencies are 66satisfied after installation (you can verify this by doing 67ldd /usr/lib/security/pam_ldap.so.1). You must ensure that 68any libraries that it depends on (such as the LDAP client 69library) can be located by the dynamic linker. Otherwise, 70libpam may fail to load the pam_ldap module. 71 72Q: Using the Netscape LDAP library with pam_ldap on Solaris 8 73- aka Solaris 2.8 - fails to link properly! David Begley writes: 74 75There are two releases of the Netscape LDAP library, one marked 76for Solaris 8 and the other marked for Solaris 2.6 - the additional 77catch is that the Solaris 8 library is a 64-bit library (this is marked 78on Netscape's site) whilst the other is a 32-bit library. 79 80It doesn't matter if you have a 64-bit UltraSPARC processor running 81the 64-bit Solaris kernel, if your compiler only works with 32-bit 82objects then it won't successfully link the 64-bit Solaris 8 83Netscape LDAP library. 84 85GCC (up to version 2.95.2) does not work properly with 64-bit objects 86under Solaris, so just use the Solaris 2.6 (32-bit) Netscape LDAP 87library and everything should be fine. 88 89Q: Can I use a third-party client LDAP library (such as Netscape's) 90on Solaris 7? David Begley writes: 91 92Yes, but if you have the Solaris 7 LDAP library installed (package 93SUNWlldap or SUNWldapx) configure will find it before the third-party 94library - in this case, you can't rely on the auto-lib-type detection of 95configure and must use the "--with-ldap-lib=" parameter. 96 97Q: Why does linking fail on Solaris 2.6 (complaining about 98relocations remaining against libcrypt)? David Begley 99writes: 100 101In short, the problem is that GCC is looking for a shared libcrypt 102(in response to the "--shared" parameter) which doesn't exist on 103Solaris 2.6 (but does on Solaris 7). The fix is quite simple, use 104"-G" instead of "--shared" (could this be a GCC bug?). This change 105should already be included in newer versions of pam_ldap. 106 107It doesn't look like libcrypt is even needed if you're using the 108Netscape LDAP client library (maybe it's required for OpenLDAP?). 109 110Q: Where is ldap_ssl.h? It's in the Netscape LDAP 111C SDK. Download it from developer.netscape.com. If you 112don't want to use SSL, removed -DSSL from CFLAGS. I 113don't have any experience building with the SSL/TLS 114support in OpenLDAP. 115 116Q: I get an undefined symbol "re_comp" under 117FreeBSD. Try linking against libgnuregex (set 118LDFLAGS=-lgnuregex before configuring). 119 120Q: I get undefined symbols "pam_sm_authenticate" 121&c. Make sure that you compile with -DPIC, eg: 122CFLAGS=-DPIC LDFLAGS=-lgnuregex ./configure 123 124Q: The pam_nds_passwd, pam_ad_passwd, and 125pam_crypt options don't seem to work anymore. Why? 126These have been replaced with the pam_password 127attribute, which takes the values: 128 129pam_password [clear|crypt|md5|nds|ad|exop] 130 131clear -- send the new password in cleartext to 132 the server. Use with Netscape 133 Directory Server, others. 134 135crypt -- crypt the password using the UNIX 136 crypt(3) library call before updating 137 userPassword. 138 139md5 -- use inbuilt MD5 code to hash password 140 141nds -- do the right thing for updating 142 NDS passwords 143 144ad -- do the right thing for updating 145 Active Directory passwords 146 147exop -- use the password change extended 148 operation, used by OpenLDAP 149 150Q: Connecting to my LDAPv2 server used to 151work, but doesn't anymore. Why? 152LDAPv3 is now the default protocol. To 153use LDAPv2, if your client library doesn't 154fall back automatically, set 155 156ldap_version 2 157 158in /etc/ldap.conf. 159 160Scott M. Stone <sstone@foo3.com> writes: 161Your openldap libs *and* your SSL/RSAREF libs must be DYNAMIC LIBRARIES 162or neither nss_ldap nor pam_ldap will work. 163 164Q: Solaris stdio bug 165 166Mark Blackman <mark.blackman@netscalibur.co.uk> writes: 167 168Our problem was trigged by the Solaris bug where stdio can 169only open 256 STREAMS (fopen), i.e. 170>From http://www.science.uva.nl/pub/solaris/solaris2.html 171 172"Programs using stdio or even library calls that use stdio may break when they 173have more than 256 files open as that is the stdio limit. Programs using many 174filedescriptors should try and reserve a number of low numbered file 175descriptors for use by stdio." 176 177We are running a large application from Critical Path (imsd) and they open 178thousands of file descriptors under load. This is not a problem, however after 179all these descriptors are open and when pam_ldap is loadedp/called and it 180attempts to open its config file '/etc/ldap.conf', it fails because of the 181stdio bug that internally casts the 'int' file descriptor to a 'char' 182representation in the FILEHANDLE structure. 183 184To remedy this, we recommend that pam_ldap either keeps a set of compile time 185specified defaults in the binary and harmless ignore the absence 186of '/etc/ldap.conf' or to rewrite config file routines to use 187open/close instead of the STREAMS version fopen/fclose or 188to make it easy to link against SFIO 189(http://www.research.att.com/sw/tools/sfio/) 190 191Q: On Solaris, the following error was reported when OpenLDAP was 192compiled shared but OpenSSL not: 193 194fatal: relocation error: file /opt/lib/libldap.so.2: symbol 195SSL_load_error_strings: referenced symbol not found 196 197The workaround was to remove -M mapfile from the Makefile. 198 199SUPPORT 200======= 201 202To discuss pam_ldap and related technologies, you may 203subscribe to the following mailing lists: 204 205 <URL:mailto:pamldap-request@padl.com> 206and 207 <URL:mailto:ldap-nis-request@padl.com> 208 209Send an electronic mail message with "subscribe" in the 210message body to join the list. 211 212Note that PADL now offer commercial support on a 213per-incident basis. 214 215To request a support incident, send email to: 216 217 <URL:mailto:pamldap-support@padl.com> 218 219-- 220PADL Software Pty Ltd 221pamldap-support@padl.com 222http://www.padl.com/ 223 224