PAM LDAP - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

PAM LDAP

Description:

The PAM framework presents a generic API to applications needing ... e.g. for service ftpd: auth sufficient pam_ftp.so. auth required pam_unix.so use_first_pass ... – PowerPoint PPT presentation

Number of Views:89
Avg rating:3.0/5.0
Slides: 18
Provided by: def71
Category:
Tags: ldap | pam | ftpd

less

Transcript and Presenter's Notes

Title: PAM LDAP


1
PAM LDAP
  • Michael Tinker
  • September 16, 2004

2
Content Preview
  • PAM motivation and design
  • PAM internals
  • LDAP overview
  • PAM LDAP authentication

3
Motivation for PAM
  • Problems with traditional authentication
  • authentication built into system entry services
  • little administrative flexibility
  • difficulty in upgrading
  • Pluggable Authentication Modules (PAM)
  • use a generic, modular authentication framework

4
The PAM Framework
The PAM framework presents a generic API to
applications needing authentication, and a
generic SPI to modules providing authentication.
5
PAM Design Goals
  • The PAM framework allows for
  • setting a default authentication scheme
  • per application configuration
  • authentication over protocol stacks
  • transparent low-level authentication
  • pluggable authentication-related modules

6
The PAM API for Applications
  • Interface overview
  • pam_start(service_name, user,
    pam_conversation, handle)
  • pam_authenticate(handle)
  • Transparently authenticate the user named in
    pam_start
  • pam_acct_mgmt(handle)
  • Check account and password expiration dates, etc
  • pam_open/close_session(handle)
  • Log user interaction, mount directories, etc.
  • pam_chauthtok(handle)
  • Change the users authentication token
  • pam_end(handle)
  • Implemented in libpam.so, libpam_misc.so

7
The PAM SPI
  • PAM API for Service Modules
  • pam_get/set_item(handle, item_type, item)
  • Get information associated with this handle
  • SPI Interface
  • pam_sm_authenticate(handle)
  • Authenticate the user in the transaction pointed
    to by handle
  • pam_sm_acct_mgmt(handle)
  • Service provider analog of pam_acct_mgmt()
  • pam_sm_open/close_session(handle)
  • Service provider analog of pam_open/close_session(
    )
  • pam_sm_chauthtok(handle)
  • Ditto
  • Implemented in every service module, e.g.
    pam_unix.so, pam_mail.so, pam_tally.so,
    pam_krb4.so

8
Using PAM
  • Use Linux as example
  • The /etc/pam.d directory
  • Contains configuration files for PAM-compliant
    applications on the system
  • The files define how authentication-related tasks
    for their application should be handled
  • Example,

9
PAM Configuration Files
  • Syntax
  • module-type control-flag module-path args
  • Exampleauth sufficient pam_userdb.so
    db/tmp/dbtest auth required pam_unix.so
    use_first_pass debug
  • Possible module types
  • auth, account, session, password
  • Control flag options
  • required, requisite, sufficient, optional
  • Most modules support a set of generic arguments

10
Module Types
  • auth
  • User authentication and credential-granting
    (corresponds to pam_authenticate())
  • account
  • Account management (pam_acct_mgmt())
  • session
  • Events beginning or ending service use
    (pam_open/close_session())
  • password
  • Authentication token management (pam_chauthtok())

11
Control Flags and Module Stacks
  • PAM can use a stack of modules
  • e.g. for service ftpdauth sufficient
    pam_ftp.soauth required pam_unix.so
    use_first_pass
  • Control flag required means module must succeed
    for authentication to occur
  • Flag requisite is required plus immediate return
    after failure
  • Flag sufficient means module success allows
    authentication unless a required module has
    already failed
  • Control flag optional indicates that a module
    does not affect authentication success

12
Generic Optional Arguments
  • debug
  • Use syslog() to log debugging information
  • use_first_pass
  • Use stored authentication token from previous
    module in the stack
  • Allows for unified login
  • use_mapped_pass
  • Generate a key to recover the authentication
    token required by the module
  • expose_account
  • Be friendly

13
Example Configuration File
14
What is LDAP?
  • Lightweight Directory Access Protocol
  • Based on X.500, provides a mechanism to
    distribute information over a network using a
    hierarchy of servers
  • Allows secure transmission using SSL
  • An excellent choice to avoid replicating user
    account information over multiple hosts
  • Information is also categorized hierarchically by
    distinguished names (DN), e.g. UIDmtinker,
    OUSTUDENT, OUCSCE,OUAF,CUSA

15
Sample LDAP Entry
  • Attributes connected to a DN, again example
    UIDmtinker,OUSTUDENT, OUCSCE, OUAF, CUSA
  • objectclass account loginshell /bin/bash
    uidnumber 112970 homedirectory
    /home/mtinkeruserpassword cryptKDnOoUYN7Neac

16
PAM LDAP
  • Install the pam_ldap.so library
  • Configure /etc/ldap.conf
  • Specifies LDAP server location, DN of the search
    base, trusted CA database
  • Edit /etc/pam.d/myApp
  • As in example configuration file
  • Probably use NSS LDAP as well

17
PAM/LDAP Schematic
Write a Comment
User Comments (0)
About PowerShow.com