[SOLVED] Does the use of LDAP to communicate with Windows Active Directory require PAM?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Does the use of LDAP to communicate with Windows Active Directory require PAM?
I want to use LDAP on SUSE 10 to authorize the use of certain objects within IBM's MQ Series via the setmqaut command. I do not want to authenticate these users to the Linux server itself via LDAP. Users that actually log onto the Linux server will be authenticated through a product from Quest formly known as VAS. My question is, does LDAP require the use of PAM or can I utilize the facilities within LDAP to communicate with a Windows Active Directory so that I can authorize the use of MQ Series objects and not authenticate actual users that would log onto the server.
Are you writing the authentication against LDAP on the Linux box or using something built into the script that needs to be controlled? You do need to use PAM with LDAP if you would authenticate any system service against the MS AD. Otherwise, it shouldn't be necessary but we would need more details about the configuration before we could say for sure.
I'm not wanting to do AUTHENTICATION. IBM's MQ Series is messaging software. A user must have the AUTHORITY to open a queue manager, write a message to a queue, read a message from a queue, etc. The server piece of MQ Series resides on the Linux guest. When a message is sent to the server, MQ Series will check the user id within the message to ensure that the user id has the authority to do certain functions. That user id must exist and that is all MQ is concerned with. It does not care about the password, group id, user id, etc., just that the user id exists. Using MQ commands I have give MQ the information where that ID exist, in this case in a group house on Active Directory. Internally MQ is going to make a security call, whether it be local or to Active Directory via LDAP.
Therefore I want to use LDAP to validate the authority of a user id to be able to carry out certain MQ functions. This user id will NEVER log onto the physical server and be authenticated. Authentication of users who need to administer the physical server will be handled by third party software. I cannot use this third party software with MQ because of licensing problems.
Then the answer is yes, you can perform LDAP queries against MS AD but changing some items on AD 2008 is a bit tricky if you would need to do that as well.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.