Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 09-26-2010, 05:58 AM   #1
Registered: Apr 2009
Posts: 74

Rep: Reputation: 16
Unhappy LDAP authentication - allowing blank passwords HOW-TO

I need to understand how LDAP user authentication works since I need to put password restrictions on the users but am not able to get it working correctly

Came through this link which says that LDAP(pam_ldap) always use binding as authentication and never reads userPassword. That is only read by nss_ldap

pam_ldap and nss_ldap work differently ?

If that is the case, if I have allowed anonymous binding on my LDAP server, should not I be able to login (ssh) into my machines with any valid user name and blank password (if I have pam for system-auth setup correctly)

Also, with any blank username and blank passwords ??
This link also talks about 'anonymous simple authentication'

Adding allow_anon_cred and allow_anon_dn in slapd.conf should be enuf or I need to do something extra

Any help would be extremely helpful. Let me know your views/ideas about nsswitch and PAM settings

Last edited by luvshines; 09-26-2010 at 05:59 AM. Reason: Making more comprehensive
Old 09-26-2010, 09:49 PM   #2
Registered: Jan 2008
Distribution: RHEL, CentOS, Ubuntu
Posts: 379

Rep: Reputation: 38
If I understand your question correctly i think that you are talking about ACLs when you say "anonymous bind". That just means that someone who authenticates as anonymous can read/write your directory based on the ACL you configure.

Setting up password restriction in openldap requires including the ppolicy module and also creating a check Password module that is called by pwdCheckModule as well as the pwdCheckQuality attribute requiring the check.

I find it easier to use Pam in a semi controllable environment.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Allowing users to change their own passwords kaplan71 Linux - Security 3 03-08-2007 10:32 AM
help with allowing simple passwords jjd228 Linux - General 7 02-10-2007 04:57 PM
Allowing users to change passwords on LDAP topcat Linux - General 10 09-16-2004 12:09 PM
Allowing weak passwords? Passive Linux - General 2 10-24-2002 06:12 AM
using blank passwords linus Linux - General 5 01-15-2002 02:42 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:49 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration