PAM/LDAP httpd auth but no system account ?

Jed Donnelley jed at nersc.gov
Thu Sep 30 21:05:38 UTC 2004 

At 11:56 AM 9/30/2004, Michael Chang wrote:

>...so you basically want all authentication to happen against an LDAP
>server, but you also want to be granular with respect to who can access
>certain httpd services and who can access other services such as ssh or login.

Not quite.  I want httpd to authenticate to LDAP, fully.  For everything else I
want authentication to happen locally - except that I would like to accept
LDAP passwords for users that are in the local /etc/passwd file.

>Where I worked over the summer, we had the same need.  pam_ldap is able to
>restrict access based upon the service that is being requested; however, it
>requires an extra objectclass and attribute(s) for each user.
>The additional objectclass is named 'authorizedServiceObject', and the
>attribute (multi-valued) is 'authorizedService'.
>
>See the following URL for more details:
>  http://www.netsys.com/pamldap/2003/05/msg00034.html
>
>You may or may not have problems, depending upon the LDAP server you're
>using.  Our setup was RHELAS3 with Sun One DS, and it worked like a charm
>with the default OpenLDAP and PADL libraries shipped with RHEL.  I'm not sure
>about ES2.1 -- you may have to grab the latest versions of those libs.

Upgrading to RHEL3 (ES anyway) would not be a problem.  However,
making a change like the above to our LDAP data would be a substantial
problem as that data is populated from Oracle through a mechanism that I only
have tenuous access to.  Putting in system specific changes to the base
Oracle data I think would be a nonstarter.

I believe that if I switch to mod_auth_ldap then I can request httpd
to authenticate completely to LDAP.  I can also leave my nsswitch.conf
set to:

passwd:    files
shadow:    files ldap
group:       files ldap

so PAM/LDAP will pick up the LDAP password but NOT make /etc/passwd
entries available for users defined in LDAP but not in the /etc/passwd file.

That is what I would like to achieve.  If I can do that with local 
configuration
changes to PAM (nsswitch.conf, ldap.conf) that would be great, but sadly
it would be a big change to start making system specific changes to our
LDAP data as it comes from Oracle.

Thanks for taking time to respond Michael!  I'd really like to do this
authentication through PAM if possible and avoid a bunch of issues with
problems using mod_auth_ldap.  Any other thoughts are most welcome.

--Jed http://www.webstart.com/jed/

More information about the Pam-list mailing list