topic LDAP-UX Password Service Configuration in Operating System - Linux

LDAP-UX Password Service Configuration

Ski Ride — Fri, 20 Mar 2009 06:17:42 GMT

I have setup LDAP UX with RHDS.

When i run the display_profile_cache I get the below details for PASSWD service configuration.
Here "passwd: *NULL*" the password is mapped to NULL. I just want to know if this is correct? Or should the password be mapped to userPassword. Anything wrong with my configuration? Do anyone of you get the same details while running display_profile_cache.

PASSWD service configuration
============================
Attribute: is mapped to:
---------- -------------
name: uid
uid number: uidnumber
primary gid: gidnumber
login shell: loginshell
passwd: *NULL*
home directory: homedirectory
gecos 1: gecos
gecos 2:
gecos 3:
gecos 4:
gecos 5:

Thanks in advance

Re: LDAP-UX Password Service Configuration

Matti_Kurkela — Fri, 20 Mar 2009 08:05:27 GMT

Disclaimer: I don't have much experience with LDAP.

The attributes in the PASSWD service correspond to the contents of the traditional /etc/passwd file. If shadow passwords are used (as is the norm today), the password field in /etc/passwd file will just contain a placeholder, usually "x" or "*". The actual passwords are stored elsewhere. For LDAP, the equivalent of this placeholder might be the mapping to NULL.

This is because /etc/passwd, and by extension the PASSWD service of LDAP, are readable by every user of the system. The information in them is used by commands like "ls" to translate machine-readable UID and GID numbers to human-readable user and group names and vice versa. Everything here is considered "public information" to every user of the system.

I would expect that the actual passwords are stored in another service (maybe SHADOW?) and that access to that service is controlled more strictly.

MK

Re: LDAP-UX Password Service Configuration

Ski Ride — Fri, 20 Mar 2009 09:53:06 GMT

Hi MK

Thanks for the information, Also I found this information

"The userPassword attribute is mapped to *NULL* to prevent passwords from being returned for increased security and to prevent PAM_UNIX from authenticating users in the LDAP directory. Mapping to *NULL* or any other nonexistent attribute means do not return anything"

Source: http://www.docs.hp.com/en/J4269-90073/apbs01.html?btnNext=next+%BB

But a more detailed explanation about how the userPassword is mapped, anyways to change this mapping and other possible values to this attribute would be greatly appreciated.