I do know a bit about LDAP, but I'm rather stale in it, and most of my experience is with the Netscape/iPlanet/SunOne line, and a little bit of dealing with Novell's directory server.

You're right, in that many directory servers don't want you to retrieve the password, for exactly the reasons you mentioned.

Of course, the 'x' might also mean something else -- it could mean that whomever imported everyone imported a shadowed password file, but didn't actually load the passwords ... we'll hope that's not the case, however. Typically, LDAP does store a real password, and with the servers I've used, it'll even return the password if you have the right permissions (either you logged in as the user, you're the directory manager, or some other user w/ the necessary permissions ... but that has nothing to do with the program being run as 'root', it has to do with the user you're binding to the server as)

Anyway, here's my normal process for authenticating users in LDAP:

  1. Bind as an application user, and search for the user's DN, in the appropriate tree.
  2. Try to bind as the user, using the found DN, with the password that the user supplied.

In some cases, I might have some extra logic, if there were flags in the system for which services a user had access to ... eg, I might search for &(uid=username)(host=servicename)

I also don't tend to use PAM for application security, as my PAM config tells it who's allowed to log into the machine, not log into the applications that are running on the machine ... I just use Net::LDAP ... um ... here's some really simplistic authentication logic (assumes the users are in a flat branch, so we don't need to look up their DN):

sub authenticate {
    my ($id, $login, $pw) = @_;
    # %BIND contains connection info for multiple LDAP servers.
    return 0 if (! defined($BIND{$id}));
    my %CONFIG = %{ $BIND{$id} };
    my $ldap = Net::LDAP->new($CONFIG{'host'}, port => $CONFIG{'port'}
+);
    return 0 if !$ldap;

    my $dn = sprintf('cn=%s,ou=people,dc=gwu,dc=edu,o=internet',$login
+);
    my $results = ($ldap->bind( $dn, password => $pw, version => 3 ));
    my $code =  $results->code();

    close_ldap($ldap);

    # 0 is a success, all others are failure
    return (! $code ? 1 : 0);
}

[download]

(okay, I'm remembering why I don't go back and look at my 5+ year old code ... ack.)

In reply to Re^2: LDAP & getpwnam by jhourcle
in thread LDAP & getpwnam by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.