[ale] How LDAP works with authentication
Christopher Fowler
cfowler at outpostsentinel.com
Tue Oct 11 20:36:09 EDT 2005
Aler's
I'm getting ready to implement LDAP support in our product. I'm very
new to LDAP and I've got a question about how LDAP works internally for
user authentication.
When a system requests a user record from the LDAP database does that
system also return the user password?
In unix when a user logs into the system the software that is doing the
authentication uses getpwnam() to retrieve the /etc/passwd record for
that user. One thing that is returned is the one-way encrypted
password. So a program lik /bin/login will typically authenticate a
user via this process:
1. Ask for username.
2. Ask for password.
3. use getpwname() to retrieve all
user details like uid,gid,shell,full name, and password
4. uses the crypt() function to encrypt the password supplied
by the user using the salt of the stored password.
5. uses strncmp() to compare the encrypted password and the
stored encrypted password. If the password supplied was
encrypted using the same salt as the store password then
they should match.
6. Exec struct passwd->shell.
What I plan to do is to implement getldappwnam(). This will be embedded
in my version of getpwnam(). This is so programs like ssh, telnet, web
interface, yada do not have to be modified to support LDAP. They simply
call getpwnam() as normal and my code then does the right thing.
1. Check flash for user 'bob'.
2. If not and LDAP is configured then exec getldappwnam() and
check for 'bob' in central server.
3. If we have a match construct a passwd structure based on data
received from LDAP server and then return that from getpwnam().
Those that are familiar with the internals of LDAP hopefully can tell me
if this plan will work. I did the exact same thing when we added radius
support. The real apps always execute getpwnam(). Then if there are no
users on flash to match and radius was configure getradpwnam() would
then attempt to retrieve radius data.
The only problem I see is that we support what we call ACL's. These are
extended attributes or user groups that give the users specific access
to ports, power control, etc. Is is possible for LDAP to store that
data to and we can fetch that?
One idea and I know someone here will mention it is to execute a PAM
like system. There is no room for PAM on these devices. Plus we would
have to modify PAM to support our storage of configuration. Our device
is embedded Linux but it is not a flash chip with a distro installed
like many embedded devices. It has a real embedded design and relies on
no files to store things like user accounts, port configuration, etc.
Configuration is on one place in flash not littered all over the place
in /etc.
Chris
More information about the Ale
mailing list