[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] AccessSpace NIS (lots of Q's)

To: Sheflug <sheflug [at] vuw.ac.nz>
Subject: Re: [Sheflug] AccessSpace NIS (lots of Q's)
From: nospam [at] alexhudson.com
Date: Wed, 4 Apr 2001 21:39:41 +0100
List-help: <http://www.sheflug.co.uk>
List-owner: <mailto:sheflug-admins [at] vuw.ac.nz>
List-post: <mailto:sheflug [at] vuw.ac.nz>
List-subscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=subscribe>
List-unsubscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=unsubscribe>
Reply-to: "Sheflug" <sheflug [at] vuw.ac.nz>
Sender: sheflug-bounce [at] vuw.ac.nz
User-Agent: Mutt/1.3.12i

On Wed, Apr 04, 2001 at 04:14:08PM +0100, James Wallbank wrote:
> box". But what does it do? Is PAM a daemon? In which case what sort 
> of information is it waiting for? Logins, some kind of "authenticate 
> me" packets, or what?

No, PAM is just a piece of software that is invoked to process logins.
Program asks PAM, "User has said their password is x. Is this the case?".
PAM says yay or nay.

> Okay, so LDAP holds account information, including permissions. So 
> (presumably) an LDAP client (i.e. a user on one of our machines) 
> contacts the LDAP server, and says "this is who I am and this is my 
> password". Then what does the LDAP server do in response? Send back 
> some kind of information to the client, presumably. Does that 
> returned information have something to do with PAM?

The LDAP server sends PAM (on the client machine) the account information,
including a (hopefully hashed :) password. PAM on the client compares the
information the user has given with the information the LDAP server gives,
and if the two are the same, the user is (hopefully) who they say they are.

> Ahhh! So let me get this straight. Is what you're saying that you 
> have an "LDAP PAM module" running on each client machine as a daemon? 
> When the user tries to log on to the client machine, the PAM module 
> intercepts the logon attempt and refers it to the LDAP server for 
> authentication???

It's not a daemon, and it doesn't intercept - PAM handles all logins. When a
program needs to authenticate a user, it refers the information it has been
given to PAM. That simple :-)

> If so, does this mean that an "LDAP PAM Module" is, effectively, an 
> LDAP client?

Yep. All PAM modules do is get account information - it's essentially an
abstraction. 

Try reading the RFC on LDAP as a network information architecture:
	http://community.roxen.com/developers/idocs/rfc/rfc2307.html
You might find it a bit heavy going, but try re-reading it a couple of times
- it will begin to make sense :) It covers using LDAP as an authentication
scheme, but also for DNS, etc...

> Therefore, doesn't that mean that the "LDAP Server" is, effectively, 
> an authentication server??

That would be the use it would be put to in this instance, but LDAP is
capable of a lot more. And also, it's not LDAP doing the authentication -
either the client or the server - it just provides the information. PAM,
having received the account information from it's module, makes the decision
whether or not the user is who they say they are.

Cheers,

Alex.
-- 
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

References:
- [Sheflug] AccessSpace NIS (lots of Q's)
  - From: James Wallbank <james [at] lowtech.org>
- Re: [Sheflug] AccessSpace NIS (lots of Q's)
  - From: home [at] alexhudson.com
- Re: [Sheflug] AccessSpace NIS (lots of Q's)
  - From: James Wallbank <james [at] lowtech.org>

Prev by Date: Re: [Sheflug] AccessSpace NIS (lots of Q's)
Next by Date: [Sheflug] IPSec
Prev by thread: Re: [Sheflug] AccessSpace NIS (lots of Q's)
Next by thread: [Sheflug] AccessSpace NIS (lots of Q's)
Index(es):
- Date
- Thread