| Sean Finney on 17 Mar 2011 00:59:20 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] script to verify users credentials using pam on Ubuntu |
hi, On Wed, 2011-03-16 at 11:21 -0400, Lee Marzke wrote: > use case: > I'm just trying to authenticate web users against AD, but the AD > server requires a bind before I can verify > user password. So on a windows box I have a script that work ( and the > bind isn't enforced ) > > I though joining Ubuntu to the domain ( with Likewise Open) would fix > this , but it hasn't ) . So I'm now looking > for a way to use the Likewise pam modules to verify the user credentials. In most cases with AD/LDAP based authentication in a webapp, the application will use a "service account", i.e. an empty system account which can do nothing but bind and perform directory searches, to do the intial query. Basically, the user logs in with their credentials, and then the app binds to AD with the service account and does a search for the dn of the username. once it finds that, it takes the DN along with their password and attempts to authenticate. This requires support from either (a) the application, or (b) apache (assuming you can use HTTP auth in the app), but is how 99% of the well written LDAP/AD auth backends work, in my experience. Or, at least the ones that are not kerberized, which if you're already using AD is something else to think about. sean
Attachment:
signature.asc
Description: This is a digitally signed message part
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug