Pluggable Authentication Modules
is the mechanism that Linux uses to decide whether you can log in or not. Here's a crude picture:
login -------\ /---- RDBMS
apache ---------\ =========== /------ LDAP
\ = = /
ssh ---------------= PAM =----------- passwd files
/ = = \
passwd ---------/ =========== \------ RADIUS
/ | \
etc... -------/ | \---- etc...
| | PAM config files (/etc/pam.d/*, /etc/pam_ldap.conf, etc)
In a nutshell, any program that wants to see if you can log in can call the PAM library which will then look at the config files to see which modules to call to do the processing. You can even "stack" the modules, i.e. require that more than one of them succeed.
In one rather extreme case I used the Apache PAM authentication module to call the PAM LDAP module so that Apache could decide whether to allow each person to view a page.
The config file /etc/pam.d/httpd looked like this:
auth sufficient pam_ldap.so
#auth required pam_unix.so
#account required pam_unix.so
account required pam_ldap.so
One mistake I made was having no
directive the first time I tried it. It's important to have the
directives use the same module.
Note that libapache-mod-auth-pam is greedy in that once it's loaded it wants to do all of the authentication. It took me a while to figure this out - if you don't want to use it you need to shut it off explicitly on a per-directory basis.
I found that most of the PAM modules were pretty half-baked so debugging is hard if you don't have the source. OTOH we're only talking about a few hundred lines of code so it's not too hard to find your way around.
The PAM LDAP module is configured by
. The sequence of events at login is to connect as manager and then search for an entry which contains a "uid" element whose value is the login name given. It then tries to bind to that entry using the password given. I didn't find the "uid" element in standard schemas so if you can't login it's a good idea to check whether the uid element is populated correctly.
The PAM home page appears to be: http://www.kernel.org/pub/linux/libs/pam/
The PAM/LDAP home page appears to be: http://www.padl.com/pam_ldap.html
Info for setting up LDAP on Debian: http://people.debian.org/~torsten/ldapnss.html