LDAP and pam without binddn and anonymous access

Solution 1:

I couldn't figure out a way to do this with the pre-existing PAM modules, so I wrote one. It only supports simple authentication at the moment. Be sure to include a uri and binddn template parameter like so:

auth    sufficient    pam_ldapdb.so uri=ldap://example.com binddn=uid=%s,dc=example,dc=com

%s will be replaced with the user connecting.

This requires g++, pam devel and ldap devel. It's been tested on CentOS 6 and 7, 64 bit.

https://github.com/rmbreak/pam_ldapdb

Solution 2:

The problem is that user authentication on UNIX works by taking a simple username string, such as 'usera'.

LDAP does not work like this, but instead needs a full username DN, such as uid=mruser,cn=users,dc=ibm,dc=com.

So the reason you need to allow anon binding or have a valid binddn is so that your authentication system can bind to the LDAP server and perform a search to translate usera -> uid=mruser,cn=users,dc=ibm,dc=com. Without this ability, it wouldn't know what to test the password against in the directory.

It's usual for LDAP admins to not want to allow anonymous binding, but they should be able to create a specific user for you which is only allows to access the specific details you require for LDAP authentication to work on UNIX. ie. read-only access on the user and group areas of the LDAP hierarchy.


You don't mention what OS you're actually talking about, but remember that PAM is for authentication - you also need to be able to have the NSS service also resolve usernames and userids. Depending on the implementation, this may be a different part of the configuration work you need to do.

Solution 3:

I think I understand what you want to do, which I think is:

  1. A user presents credentials to you for validation.

  2. Instead of binding to the LDAP server via anonymous access, or with a standard set of binding credentials, you want to use the credentials just presented to you by the user, each time, to authenticate to the LDAP server in order to ask it to validate those credentials.

Is that it?

If so, then in order for that to make sense, each user's credentials must be LDAP-valid only for authenticating his or her own credentials; otherwise you could perform the clearly-feared wide search with the first set of credentials so presented. And if the LDAP server admins can tie the scope of a set of credentials down that tightly, then they should be able to provide you with a standard set of binding credentials which are valid only to perform searches against those users who you're authorised to see.

Do you see my point? If your LDAP server admins are that good at scoping the searches that credentials can do, they have the skills needed to give you a suitable set of binding credentials. And if they're not that good, there's no point in asking you to do what they want, because you already possess credentials powerful enough to do what they don't want you to do.

The two standard ways to access an LDAP server are (1) anonymously, and (2) using a set of credentials issued by the server admins which are suitable only for doing what you need them to do. If the server admins don't like (1), then it's their job to provide you suitable credentials to do (2).