Sean Finney on 17 Mar 2011 00:59:20 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] script to verify users credentials using pam on Ubuntu


On Wed, 2011-03-16 at 11:21 -0400, Lee Marzke wrote:
> use case:
> I'm just trying to authenticate web users against AD,  but the AD  
> server requires a bind before I can verify
> user password. So on a windows box I have a script that work ( and the  
> bind isn't  enforced )
> I though joining Ubuntu to the domain ( with Likewise Open) would fix  
> this , but it hasn't )  .  So I'm now looking
> for a way to use the Likewise pam modules to verify the user credentials.

In most cases with AD/LDAP based authentication in a webapp, the
application will use a "service account", i.e. an empty system account
which can do nothing but bind and perform directory searches, to do the
intial query.

Basically, the user logs in with their credentials, and then the app
binds to AD with the service account and does a search for the dn of the
username.  once it finds that, it takes the DN along with their password
and attempts to authenticate.

This requires support from either (a) the application, or (b) apache
(assuming you can use HTTP auth in the app), but is how 99% of the well
written LDAP/AD auth backends work, in my experience.  Or, at least the
ones that are not kerberized, which if you're already using AD is
something else to think about.


Attachment: signature.asc
Description: This is a digitally signed message part

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --