Presentation is loading. Please wait.

Presentation is loading. Please wait.

Michael Tinker September 16, 2004

Published byRobert Melton Modified over 8 years ago

Similar presentations

Presentation on theme: "Michael Tinker September 16, 2004"— Presentation transcript:

1 Michael Tinker September 16, 2004
PAM LDAP Michael Tinker September 16, 2004

2 Content Preview PAM motivation and design PAM internals LDAP overview
PAM LDAP authentication

3 Motivation for PAM Problems with traditional authentication…
authentication built into system entry services little administrative flexibility difficulty in upgrading Pluggable Authentication Modules (PAM) use a generic, modular authentication framework

4 The PAM Framework The PAM framework presents a generic API to applications needing authentication, and a generic SPI to modules providing authentication.

5 PAM Design Goals The PAM framework allows for:
setting a default authentication scheme per application configuration authentication over protocol stacks transparent low-level authentication pluggable authentication-related modules

6 The PAM API for Applications
Interface overview: pam_start(service_name, user, pam_conversation, handle) pam_authenticate(handle) Transparently authenticate the user named in pam_start pam_acct_mgmt(handle) Check account and password expiration dates, etc pam_open/close_session(handle) Log user interaction, mount directories, etc. pam_chauthtok(handle) Change the user’s authentication token pam_end(handle) Implemented in libpam.so, libpam_misc.so

7 The PAM SPI PAM API for Service Modules SPI Interface:
pam_get/set_item(handle, item_type, item) Get information associated with this handle SPI Interface: pam_sm_authenticate(handle) Authenticate the user in the transaction pointed to by handle pam_sm_acct_mgmt(handle) Service provider analog of pam_acct_mgmt() pam_sm_open/close_session(handle) Service provider analog of pam_open/close_session() pam_sm_chauthtok(handle) Ditto Implemented in every service module, e.g. pam_unix.so, pam_mail.so, pam_tally.so, pam_krb4.so…

8 Using PAM Use Linux as example The /etc/pam.d directory
Contains configuration files for PAM-compliant applications on the system The files define how authentication-related tasks for their application should be handled Example,

9 PAM Configuration Files
Syntax: module-type control-flag module-path args Example: auth sufficient pam_userdb.so db=/tmp/dbtest auth required pam_unix.so use_first_pass debug Possible module types: auth, account, session, password Control flag options: required, requisite, sufficient, optional Most modules support a set of generic arguments

10 Module Types auth account session password
User authentication and credential-granting (corresponds to pam_authenticate()) account Account management (pam_acct_mgmt()) session Events beginning or ending service use (pam_open/close_session()) password Authentication token management (pam_chauthtok())

11 Control Flags and Module Stacks
PAM can use a “stack” of modules e.g. for service ftpd: auth sufficient pam_ftp.so auth required pam_unix.so use_first_pass Control flag required means module must succeed for authentication to occur Flag requisite is required plus immediate return after failure Flag sufficient means module success allows authentication unless a required module has already failed Control flag optional indicates that a module does not affect authentication success

12 Generic Optional Arguments
debug Use syslog() to log debugging information use_first_pass Use stored authentication token from previous module in the stack Allows for unified login use_mapped_pass Generate a key to recover the authentication token required by the module expose_account Be friendly

13 Example Configuration File

14 What is LDAP? Lightweight Directory Access Protocol
Based on X.500, provides a mechanism to distribute information over a network using a hierarchy of servers Allows secure transmission using SSL An excellent choice to avoid replicating user account information over multiple hosts Information is also categorized hierarchically by distinguished names (DN), e.g. UID=mtinker, OU=STUDENT, OU=CSCE,O=UAF,C=USA

15 Sample LDAP Entry Attributes connected to a DN, again example UID=mtinker,OU=STUDENT, OU=CSCE, O=UAF, C=USA objectclass: account loginshell: /bin/bash uidnumber: homedirectory: /home/mtinker userpassword: {crypt}KDnOoUYN7Neac

16 PAM LDAP Install the pam_ldap.so library Configure /etc/ldap.conf
Specifies LDAP server location, DN of the search base, trusted CA database Edit /etc/pam.d/myApp As in example configuration file Probably use NSS LDAP as well

17 PAM/LDAP Schematic

Download ppt "Michael Tinker September 16, 2004"

Similar presentations

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.

CIS 193A – Lesson2CIS 193A - Lesson2 Authorization & Authentication Sudo and PAM.
ASGC Site Update Yi-Ping Wu Jeng-Hsueh Wu. Two Significant Researches 1.Oracle Security issues and Studies for 3D 2.Streams Replications Study Report.

ASGC Site Update Yi-Ping Wu Jeng-Hsueh Wu. Two Significant Researches 1.Oracle Security issues and Studies for 3D 2.Streams Replications Study Report.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Toolbox Mirror -Overview Effective Distributed Learning.

Toolbox Mirror -Overview Effective Distributed Learning.
Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.

Abdelilah Essiari Gary Hoo Keith Jackson William Johnston Srilekha Mudumbai Mary Thompson Akenti - Certificate-based Access Control for Widely Distributed.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Windows 2000 Remote Access. Remote Access Overview With Windows 2000 remote access, remote access clients connect to remote access servers and are transparently.

Windows 2000 Remote Access. Remote Access Overview With Windows 2000 remote access, remote access clients connect to remote access servers and are transparently.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
CIT 470: Advanced Network and System Administration

CIT 470: Advanced Network and System Administration
Understanding Active Directory

Understanding Active Directory
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.

Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.
Module D Panko and Panko Business Data Networks and Security, 9 th Edition © 2013 Pearson Education, Inc. Publishing as Prentice Hall.

Module D Panko and Panko Business Data Networks and Security, 9 th Edition © 2013 Pearson Education, Inc. Publishing as Prentice Hall.
Survey of Identity Repository Security Models JSR 351, Sep 2012.

Survey of Identity Repository Security Models JSR 351, Sep 2012.
Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu 10.04 LTS comes with MIT Kerberos 1.8.1 Admin through CLI, but from.

Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu LTS comes with MIT Kerberos Admin through CLI, but from.

Similar presentations

Ads by Google