6

I am working in a large company and can use its central read-only LDAP server remotely. The LDAP server does not allow anonymous binding. In order to use this server for authentication of the users on my small server with a pam module I need an account which exposes the data on LDAP to me. The account data is normally filled in binddn and bindpw fields of the configuration. As I understood pam module normally logins with binddn and bindpw, then performs a search and afterwards bind for each user who is willing to login.

The administrators of the server however do not like exposing all the data to me. And so my question is:

How can I configure pam without binddn account? Ideally a direct bind for each user should be performed without prior login with binddn account.

Roman Byshko
  • 254
  • 2
  • 13
  • You do realise this question is logically equivalent to "i have an LDAP server that doesn't allow unauthenticated queries. how do i query it without authenticating?", don't you? – MadHatter Jul 25 '12 at 09:14
  • @MadHatter Well, partially. I would like each user to authenticate himself. The result of this authentication should be enough for me... How else can I have an access to LDAP, but only to the data of the users that *do* authenticate on my server... – Roman Byshko Jul 25 '12 at 09:54
  • 1
    I have this exact problem that I'm trying to solve. The question is how to use the user's credentials for binding to LDAP, not avoiding LDAP authentication altogether. Unfortunately, there is apparently no answer. :( – Josh Apr 22 '13 at 16:26
  • I'm have this same issue. Were you able to solve it? I just need to validate credentials for uid=%s,ou=people,dc=example,dc=com where %s is the user attempting to connect. – flumpb Jul 15 '15 at 17:08
  • Sorry, it was a long time ago, I do not remember anymore. :) – Roman Byshko Jul 15 '15 at 21:55

3 Answers3

3

I couldn't figure out a way to do this with the pre-existing PAM modules, so I wrote one. It only supports simple authentication at the moment. Be sure to include a uri and binddn template parameter like so:

auth    sufficient    pam_ldapdb.so uri=ldap://example.com binddn=uid=%s,dc=example,dc=com

%s will be replaced with the user connecting.

This requires g++, pam devel and ldap devel. It's been tested on CentOS 6 and 7, 64 bit.

https://github.com/rmbreak/pam_ldapdb

flumpb
  • 153
  • 6
  • It seems you still need username -> uid mapping for this to work. So how would you do that without a bind user? You can't just set up an sssd for that, because that would require a bind user. (In my case I don't want users with physical access to computers to be able to extract bind user login data, as that would allow them to enumerate users which is a privacy issue.) – pcworld Dec 06 '20 at 23:40
2

The problem is that user authentication on UNIX works by taking a simple username string, such as 'usera'.

LDAP does not work like this, but instead needs a full username DN, such as uid=mruser,cn=users,dc=ibm,dc=com.

So the reason you need to allow anon binding or have a valid binddn is so that your authentication system can bind to the LDAP server and perform a search to translate usera -> uid=mruser,cn=users,dc=ibm,dc=com. Without this ability, it wouldn't know what to test the password against in the directory.

It's usual for LDAP admins to not want to allow anonymous binding, but they should be able to create a specific user for you which is only allows to access the specific details you require for LDAP authentication to work on UNIX. ie. read-only access on the user and group areas of the LDAP hierarchy.

You don't mention what OS you're actually talking about, but remember that PAM is for authentication - you also need to be able to have the NSS service also resolve usernames and userids. Depending on the implementation, this may be a different part of the configuration work you need to do.

ChrisH
  • 131
  • 3
1

I think I understand what you want to do, which I think is:

  1. A user presents credentials to you for validation.

  2. Instead of binding to the LDAP server via anonymous access, or with a standard set of binding credentials, you want to use the credentials just presented to you by the user, each time, to authenticate to the LDAP server in order to ask it to validate those credentials.

Is that it?

If so, then in order for that to make sense, each user's credentials must be LDAP-valid only for authenticating his or her own credentials; otherwise you could perform the clearly-feared wide search with the first set of credentials so presented. And if the LDAP server admins can tie the scope of a set of credentials down that tightly, then they should be able to provide you with a standard set of binding credentials which are valid only to perform searches against those users who you're authorised to see.

Do you see my point? If your LDAP server admins are that good at scoping the searches that credentials can do, they have the skills needed to give you a suitable set of binding credentials. And if they're not that good, there's no point in asking you to do what they want, because you already possess credentials powerful enough to do what they don't want you to do.

The two standard ways to access an LDAP server are (1) anonymously, and (2) using a set of credentials issued by the server admins which are suitable only for doing what you need them to do. If the server admins don't like (1), then it's their job to provide you suitable credentials to do (2).

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • Yes, you've understood everything correctly. The admins however do not have the users separated into groups, just a long list of them.(do not ask me why)So each normal user can only bind. Each admin user can search through *all* the people in the directory. And that's why I was looking for a workaround... – Roman Byshko Jul 25 '12 at 12:49
  • @RomanB.: It sounds like your workaround is to redesign your LDAP infrastructure to make sense. Ugh. – Scott Pack Jul 25 '12 at 13:41