1 |
On Jan 13, 2006, at 11:45 AM, Allan Spagnol Comar wrote: |
2 |
|
3 |
> thanks. I believe I am starting to understand this. |
4 |
> |
5 |
> I was seeing that ldap can authenticate in a lot of types, like , |
6 |
> databases, files, and PAM do some things like that too.... or am I |
7 |
> wrong ? |
8 |
> |
9 |
as far as I know you are wrong. ldap is an authentication |
10 |
mechanism. it stores usernames, passwords, and much more. |
11 |
hopefully, i'll not screw up this explanation. You sit down to your |
12 |
computer....you see the login prompt. You type username, it asks for |
13 |
a password. you give it one. it (the getty program) then passes |
14 |
those credentials to pam. pam looks in it's list of authentication |
15 |
mechanisms to see in what order you'd like to try to authenticate. |
16 |
say it's ldap, then nis, then shadow. so it does a query to ldap |
17 |
using your username as a key to retrieve your encrypted password. it |
18 |
then compares what returns (assuming you are in the ldap db) with the |
19 |
encrypted form of what you typed. If it matches, pam checks to see |
20 |
if that's simply a required authentication, or a sufficient |
21 |
authentication. it is possible with pan to require more than one |
22 |
test be passed before saying okay. if more tests are required, or |
23 |
you don't pass that test, pam goes down it's list of other methods. |
24 |
typically, for instance, root is only in shadow NOT in ldap. so |
25 |
usually, users are allowed to fail the ldap (or nis) and be checked |
26 |
against shadow. usually, though, shadow is the authentication method |
27 |
of last resort. so pam is a framework into which multiple |
28 |
authentication methods can snap. |
29 |
> On 1/13/06, John Jolet <john@×××××.net> wrote: |
30 |
>> |
31 |
>> On Jan 13, 2006, at 11:03 AM, Allan Spagnol Comar wrote: |
32 |
>> |
33 |
>>> Hi, I don´t know if this is a valid question, or I am making a big |
34 |
>>> mess, but I was wondering witch autentication method is better, ldap |
35 |
>>> or pam. I would like to know too if is possible to use bouth. |
36 |
>>> |
37 |
>> ldap is one of the methods that can (p)lug in to pam (pluggable |
38 |
>> authentication method...) |
39 |
>> |
40 |
>>> thanks. |
41 |
>>> -- |
42 |
>>> An application asked: |
43 |
>>> "Requeires Windows 9x, NT4 or better", |
44 |
>>> so I´ve installed Linux |
45 |
>>> |
46 |
>>> -- |
47 |
>>> gentoo-user@g.o mailing list |
48 |
>>> |
49 |
>> |
50 |
>> |
51 |
>> -- |
52 |
>> gentoo-user@g.o mailing list |
53 |
>> |
54 |
>> |
55 |
> |
56 |
> |
57 |
> -- |
58 |
> An application asked: |
59 |
> "Requeires Windows 9x, NT4 or better", |
60 |
> so I´ve installed Linux |
61 |
> |
62 |
> -- |
63 |
> gentoo-user@g.o mailing list |
64 |
> |
65 |
|
66 |
|
67 |
-- |
68 |
gentoo-user@g.o mailing list |