We have a Java based application which communicates/relies on PAM for its authentication needs. Users can be from local (shadow) or external (directory servers). The java application is run as non-root user (say, juser)
In LDAP configuration, the bind password is stored in plain text in /etc/ldap.conf. To overcome this security gap, I have replaced the binddn with rootbinddn and moved the bindpassword into ldap.secret. Following is the permissions and ownership of the LDAP configuration files:
640 root jusergroup /etc/ldap.conf
600 root root /etc/ldap.secret
Users can access the system via SSH seamlessly(after I modify the binddn to rootbinddn), while authentication to the application fails.
The interesting part is when I configure the application to openldap server, all users can authenticate successfully to SSH and to the Java application. but when configured to MS active directory server, the SSH authentication succeeds while the authentication to Java application fails (as the process owner is juser). Now I restart the java application as a root user and all authentications (SSH and Java applications) succeed.
Following is the exception from the Active Directory server, events log:
Internal event: The LDAP server returned an error.
Additional Data Error value: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful >bind must be completed on the connection., data 0, vece
For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp.
- Why would there be a different bind behavior between openldap and MS Active Directory?
- During LDAP bind, is the user making the request passed onto the directory server?
- Is there a mechanism, to tell PAM to use root creds during the authentication validation so that I can still run the java application as juser?
Thanks
