[NCLUG] Is it possible to have LDAP use a different password field by service

Kevin H. Olson k.h.olson at att.net
Sun Oct 25 00:31:53 MDT 2009


Greetings!

  I have a server utilizing ldap for user authentication. For SSH, it is
working perfectly. I want to make an FTP server that is accessible to
the individuals who are in the ldap directory. However, I would like to
use a different password field, such that the password used for the FTP
server is different than the password used for the ssh. Basically, I
don't want people to send in the clear text of FTP the same password the
user would enter in the ssh.

  I was hoping that it is possible to specify in the /etc/pam.d/vsftpd
file a parameter for the attribute in the ldap service to utilize for
the password. I've looked at what documentation I could find, and the
only parameters noted were "try_first_pass" and "use_first_pass".

  As I understand the standard (and I've not studied it in depth), any
suitable attribute may be used for the password storage. Nonetheless, I
don't see how/where to specify a different field.

  There are settings in the ldap.conf file, but it seems like these
settings would change the field for all services, but perhaps I am wrong
here.

  So, two questions. Is what I would like to do possible with ldap, and
if so, how? Second, if I can't make different services use different
ldap attributes, is there an alternative method that others have used to
meet the requirement of different passwords for different services?

  As always, the community's comments and suggestions are truly appreciated.

Kevin



More information about the NCLUG mailing list