[ale] How LDAP works with authentication

Jason Day jasonday at worldnet.att.net
Wed Oct 12 14:10:21 EDT 2005 

On Tue, Oct 11, 2005 at 08:36:09PM -0400, Christopher Fowler wrote:
> When a system requests a user record from the LDAP database does that
> system also return the user password?  

Seems like I remember reading a security advisory that Domino did this,
and that it wasn't a good thing.  I can't find the reference though.

> What I plan to do is to implement getldappwnam().  This will be embedded
> in my version of getpwnam().  This is so programs like ssh, telnet, web
> interface, yada do not have to be modified to support LDAP.  They simply
> call getpwnam() as normal and my code then does the right thing.
> 
> 1.  Check flash for user 'bob'.
> 2.  If not and LDAP is configured then exec getldappwnam() and
>     check for 'bob' in central server.  
> 3.  If we have a match construct a passwd structure based on data
>     received from LDAP server and then return that from getpwnam().

Whenever I've used LDAP for authentication, I send the username and
password to the LDAP server, and the LDAP server says yes or no.  Of
course, that means you're sending the password in plain text over the
network.  If SSL is an option you can use that for the LDAP connection.
Then again, sending the password hashes over the network is only more
secure if everyone uses a godd, strong password.

> The only problem I see is that we support what we call ACL's.  These are
> extended attributes or user groups that give the users specific access
> to ports, power control, etc.  Is is possible for LDAP to store that
> data to and we can fetch that?  

I'm a bit out of my element here, but I'm pretty sure you can store
arbitrary data in a user object in LDAP.  Also, depending on how the
LDAP server is configured, search queries may require you to
authenticate first, or may return different information depending on
whether or not you are authenticated.  If you have control of the LDAP
server then of course that's not a problem.

Jason
-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9

More information about the Ale mailing list