get LDAP user's password from program - Unix

This is a discussion on get LDAP user's password from program - Unix ; I have some existing code (recently ported from Digital Unit to Red Hat Linux) that validates a username and password. It calls getpwnam() to find the username on the system, and then to read the encrypted password it used to ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: get LDAP user's password from program

  1. get LDAP user's password from program

    I have some existing code (recently ported from Digital Unit to Red
    Hat Linux) that validates a username and password. It calls
    getpwnam() to find the username on the system, and then to read the
    encrypted password it used to call getprpwnam() on DU, and now calls
    getspnam() [Linux] to read the shadow password file.

    The customer has now added LDAP logins to the system, and getpwnam()
    does find the user, but the passwords from both getpwnam() and
    getspnam() both just contain "x".

    How can I get at the (encrypted) password for the LDAP user?

  2. Re: get LDAP user's password from program

    mark.bergman@thales-is.com writes:
    >I have some existing code (recently ported from Digital Unit to Red
    >Hat Linux) that validates a username and password. It calls
    >getpwnam() to find the username on the system, and then to read the
    >encrypted password it used to call getprpwnam() on DU, and now calls
    >getspnam() [Linux] to read the shadow password file.


    >The customer has now added LDAP logins to the system, and getpwnam()
    >does find the user, but the passwords from both getpwnam() and
    >getspnam() both just contain "x".


    >How can I get at the (encrypted) password for the LDAP user?


    Typically, you don't. The LDAP server keeps them internal to it, and
    doesn't hand them out without whacking a bunch of ACLs protecting
    against that sort of thing. A typical way to authenticate an LDAP user
    is to take the credentials presented, and to attempt to bind to the
    LDAP server as that user. If that is allowed, then the user is
    authenticated. If that fails, then the credentials are bad.

    Usually, now-a-days, all these different methods are wrapped up in the
    PAM authentication system so you don't need to know these differences,
    although that puts the burden back on the sysadmin to make sure to
    setup the PAM system for your app/system to make sure it all works
    against the authentication options that they have configured for their system.
    (ie. see man pam_authenticate)


  3. Re: get LDAP user's password from program

    On Aug 7, 4:16 pm, mark.berg...@thales-is.com wrote:
    > I have some existing code (recently ported from Digital Unit to Red
    > Hat Linux) that validates a username and password. It calls
    > getpwnam() to find the username on the system, and then to read the
    > encrypted password it used to call getprpwnam() on DU, and now calls
    > getspnam() [Linux] to read the shadow password file.


    > The customer has now added LDAP logins to the system, and getpwnam()
    > does find the user, but the passwords from both getpwnam() and
    > getspnam() both just contain "x".


    > How can I get at the (encrypted) password for the LDAP user?


    You don't. You take the user name and password you were given,
    and try to logon to the LDAP server as that user, with his
    password. If you can, it's good, and if you can't, it's not.
    Once you've successfully logged on, you drop the connection to
    the LDAP server, as you don't need it any more.

    --
    James Kanze (GABI Software) email:james.kanze@gmail.com
    Conseils en informatique orientée objet/
    Beratung in objektorientierter Datenverarbeitung
    9 place Sémard, 78210 St.-Cyr-l'École, France, +33 (0)1 30 23 00 34

+ Reply to Thread