Using LDAP through PAM authenticator?

Hi All,

After a while, I have tried to install the new OOD 2.0.13. There are many new features as compared to 1.6 - 1.8 versions, in particular the massive support for single sign on and changes to user mapping.

My question: if I am to shy away from these new features, can I get away with just using the old PAM authenticator? As in: LDAP feeds to SSSD, SSSD feeds to PAM module (sshd which is copied to OOD); and then I enable the PAM authenticator for OOD instead of using Dex. It will have an additional benefit in that I could use same user’s home directory creation script that now lives in PAM in our HPC system.

Is there any grave security risk doing the LDAP-SSSD-PAM? Has anyone been using the PAM module? Thanks!

Another thing is, it seems that the user mapping regex that PAM module documents, is gone. If a user mapping is one-to-one, as is the case with PAM, can I just provide an arbitrary script like /bin/echo $1 instead of the missing user_map.regex or what it was called?

Thank you very much in advance,

Grigory Shamov
University of Manitoba

There is a security risk in Apache’s PAM and LDAP authentication methods because they’re secure. They pass your passwords directly in a header, they only base 64 encode it. So you’re passing your password to the server with every request that’s made. That makes the surface area for an attack much larger - because it’s every request (:pray: that you’re at least running SSL so the requests are encrypted, if it’s plain text well then, you’re password is just there in plain text for anyone to find).

Open ID Connect (which is what Dex is) passes a token on every request, so if someone were to obtain that, they could impersonate you in Open OnDemand, but nowhere else and only for a little while until the token expires, they won’t know your password and won’t be able to reset it (unless you can reset it in a command).

Dex has LDAP support so that’s a much more secure option for you.

If the user mapping is 1:1 the default user_map_match: '.*' should work out of the box for you, no script required.

Hi Jeff,

Thanks for the quick answer! Yes, SSL is there, no plain HTTP.
Dex does not take my org’s wildcard SSL cert. It does not seem to work with wildcard certs at all, no?

Other question: if one uses Dex, is there a way to somehow merge it with PAM for account setup (homedirs, quota)?

Thanks for the mapping hint!

Grigory Shamov