[ale] How LDAP works with authentication

Christopher Fowler cfowler at outpostsentinel.com
Wed Oct 12 22:04:36 EDT 2005


On Wed, 2005-10-12 at 21:34 -0400, Jason Day wrote:
> Ouch.  Are you sure?  Once you authenticate to the LDAP server, you
> can
> retrieve the user object, which should have most, if not all, of the
> information you would need to implement getpwnam.  Except the
> password,
> but do you need it at that point?

yes.

getpwnam() takes one argument.  The username.  It returns a data object
that contains password.  What you are telling me is that it is the LDAPs
responsibility to auth the user.  So I must send the password and name
to LDAP for auth.  getpwnam() does not work that way. It requires the
app to do the password checking.   My method of placing the ldap code
inside of getpwnam() would automatically make all programs like OpenSSH
support LDAP by default.  

Here is how getpwnam() is used. In pseudo code.

printf("Username: ");
char *user = read();
printf("Password: ");
char *password = read();
struct passwd *p = getpwnam(user);
char *pass = crypt(password, p->passwd);
if(strcmp(pass, p->passwd) != 0) {
  die("Invalid login.\n");
}

exec(p->shell);

Notice how the code above was responsible for verifying the password.
what you told me was that the LDAP server does that job.






More information about the Ale mailing list