LDAP Authentication using PAM in irods (without SSL? )

[Paul]

Hello,

is it possible to use LDAP Athentication via PAM in irods without SSL? If this is not possible, could you please explain to me why SSL must be configured first?

Thanks.

Regards,

Paul

[Alan King]

It is not possible to use the PAM authentication plugin without enabling SSL.

The reason SSL must be configured is described in the PAM authentication plugin documentation:

Since PAM requires the user's password in plaintext, iRODS relies on SSL encryption to protect these credentials. PAM authentication makes use of SSL regardless of the iRODS Zone SSL configuration (meaning even if iRODS explicitly does not encrypt data traffic, PAM will use SSL during authentication).

That text is found here: https://docs.irods.org/4.2.11/plugins/pluggable_authentication/#pam-pluggable-authentication-module It then goes on to explain how to set that up. For completeness, the same rules apply for the pam_password plugin in 4.3.0.

--
--
The Integrated Rule-Oriented Data System (iRODS) - https://irods.org
 
iROD-Chat: http://groups.google.com/group/iROD-Chat
---
You received this message because you are subscribed to the Google Groups "iRODS-Chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irod-chat+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/ca756245-2fdf-46e2-88cf-f8f0e0a55b6dn%40googlegroups.com.

--

Alan King

Senior Software Developer | iRODS Consortium

[John]

Hi,

For Test system, I have used a self-signed certificate by following this helpful link https://github.com/irods-contrib/metalnx-web/blob/main/docs/PAM-&-SSL-Configuration.md. This has successfully worked. I have used LDAP (means, without SSL), because it was only for testing.

Now I' m using LDAPS (LDAP over Secure Sockets Layer) for the productive system.  The LDAP server (LDAPS) - iRODS Server connection is working well. I can see the LDAP users on iRODS Server by using  getent passwd  command .

I' m wondering this question: As I have done for Test system,

do I need to configure SSL on iRODS Server and to apply for a certificate from a trusted CA instead of using a self-signed certificate, because I think it is not good for productive system

or

is  there another way to do this easily as I 'm using LDAPS ?

Please guide me how I can achieve this to use PAM for authentication.

Regards

John

[Alan King]

Hi,

Unfotunately, I am not very familiar with LDAP or LDAPS, so I cannot speak to the specifics of such an implementation nor to its potential success. However, as I said before, the PAM authentication plugin for iRODS requires SSL to be configured in the client and the server regardless of the application. So, if you are using PAM authentication, you will need to configure SSL regardless of anything else.

That being said, using a self-signed certificate seems advisable only for development and testing, as you pointed out.

Hope that's of some help...

Alan

To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/9ac6f7b8-cb35-407d-b158-d273f5753696n%40googlegroups.com.