On Jan 13, 2006, at 11:45 AM, Allan Spagnol Comar wrote:
> thanks. I believe I am starting to understand this.
>
> I was seeing that ldap can authenticate in a lot of types, like ,
> databases, files, and PAM do some things like that too.... or am I
> wrong ?
>
as far as I know you are wrong. ldap is an authentication
mechanism. it stores usernames, passwords, and much more.
LDAP is *not* an authentication mechanism. LDAP stands for Lightweight Directory Access Protocol, so LDAP is a protocol you use to access data stored in a structured way, called directory. An LDAP directory is a directory that may be accessed using LDAP. An LDAP server is a server that serves its data using LDAP. LDAP servers are used for a lot of things, and two of them may be single sign on or centralized authentication (they are different although related things).
To access data in a directory you may have to authenticate to access the data. This authentication can be done in several ways, and one of them is called simple bind: in this case you provide a path to locate an object in the directory and a password and the server "compares" the password provided with the password stored in the specified object. IIRC the PAM-LDAP module uses simple bind to authenticate an user trying to gain access to the system. This is, the PAM module takes the provided user and password and tries to authenticate itself against the LDAP server using the simple bind mechanism, translating the user into a path to locate the object representing that user in the directory.
BIG WARNING: Don't do this unless you're using simple bind over SSL protected connections unless you want your passwords to travel (almost?) as clear text through the network.
HTH
Jose
