It's a feature, not a bug: the sensitive information is protected :-)

Remember that there are two different things going on with the passwd/shadow database: there is querying the database to find out what users exist and what information is associated with them, and there is authenticating a user. The former is the job of NSS (name service switch) and the latter is the job of PAM (pluggable authentication modules).

It so happens that with flat files and also with NIS (because NIS and NIS+ were designed to work much like network versions of the flat files), the authentication (PAM) piece makes use of the same datbase as the database piece (NSS), i.e. it gets the username and crypted password out of the NSS database and checks if the credentials supplied by the user are good.

But in general an authentication mechanism is not required to keep its authentication information located in the NSS database. LDAP does not because LDAP already has a way for users to authenticate against it that is independant of the UNIX specific information that can be found in the passwd file. Some authentication mechanisms could not store crypted hashes in the traditional passwd file fields even if they wanted to because they have no such concept! Examples are one time password schemes and SecurID.

So LDAP stores a dummy value in the UNIX /etc/passwd style field of its database. You will have to get the passwords some other way. I don't know much about LDAP, but I actually suspect that it's quite secure and that it will actually not let you get at that information over the network.

If you need to authenticate users from your Perl script, you probably need to use PAM to ask the system whether a username and password combination is valid. This is what all of the things on your system that need authentication (like the SSH server) do. There seems to be an Authen::PAM module on CPAN but I have never used it.

In reply to Re: LDAP & getpwnam by Celada
in thread LDAP & getpwnam by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.