• Home
  • Blog
  • How I hate thee LDAP authentication...

How I hate thee LDAP authentication...

Vincent Danen

July 18, 2005

I find LDAP for authentication highly irritating. It's better than some alternatives, like NIS (haven't looked at NIS+ so I don't know how it measures up), but man oh man, it's a real nuisance sometimes.

I wrote that LDAP Authentication piece when there was essentially nothing else and it took a long time to figure out all the bits. Now it seems like LDAP for authentication is all the rage.. everyone uses or wants to use it and I understand why. In a large company or organization, it makes sense. From that standpoint, centralized authentication is awesome. But to administer the beast? Good Lord.

Way back when I first wrote the LDAP for Authentication paper, you used pam_pwdb in conjunction with pam_ldap and with a little massaging, you could make it so you could use the passwd program to change (you guessed it) passwords. Then after a while, distros changed, other stuff changed, and pam_pwdb didn't work so good anymore. At that point, pam_unix was the solution and it works great for doing lookups for authentication, but I've just realized (at least on my systems) it's pretty poor for handling password changing. I can authenticate fine, but when I want to change my password, pam_unix is telling me that my username isn't in /etc/passwd or available by NIS. Well, no duh... it's in the LDAP directory. You're supposed to silently fail, fall back to pam_ldap, which will tell you everything is ok and I can carry on. For kicks I tried switching back to pam_pwdb but it's just as dumb and I can't authenticate with it (I'm pretty sure it's trying to read from /etc/{passwd,shadow} directly).

At any rate, thank goodness for PHPLdapAdmin. At least I can change my password with it, but boy is it annoying that something that worked for me two years ago no longer works. The really irritating thing is that it makes my document useful as a reference, but kinda useless for a real-world "hold my hand and let's do it".

Kerberos is easier than this for crying out loud and I used to think (mind you, about 5-6 years ago) that Kerberos was difficult. Kerberos is a piece of bloody cake!

Aaaaarghhh!

Leave a Comment

Comments use MarkDown. Need help? MarkDown Cheatsheet