In context of a customer we ran into the requirement to have authenticated binds to an ldap server for authentication and identity management without exposing the bind password to all users on the system. The mandat for allowing only authenticated binds to the ldap server arises from SOX compliance requirements. The proposed solution was to use nscd for nss_ldap access so that unprivileged users do not need to see the bind password but this does not cover unpriviliged applications that need to authenticate users via pam like the xscreensaver. The proposed solution here is the pam_ccreds module.
The proper PAM (system-auth) configuration is: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so try_first_pass auth [success=done default=die] pam_ccreds.so action=validate use_first_pass auth [success=done default=die] pam_ccreds.so action=store auth [default=die] pam_ccreds.so action=update auth required pam_deny.so account required pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore authinfo_unavail=ignore] pam_ldap.so password required pam_cracklib.so retry=3 password sufficient pam_unix.so nullok use_authtok shadow md5 password sufficient pam_ldap.so use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so session optional pam_ldap.so
So actually for RHEL3 (pam-0.75) one more adjustment is necessary, this is final PAM config: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so try_first_pass auth [success=done default=die] pam_ccreds.so action=validate use_first_pass auth [success=done default=die] pam_ccreds.so action=store auth [default=die] pam_ccreds.so action=update auth required pam_deny.so account required pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore authinfo_unavail=ignore] pam_ldap.so password required pam_cracklib.so retry=3 password sufficient pam_unix.so nullok use_authtok shadow md5 password sufficient pam_ldap.so use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so session optional pam_ldap.so
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2007-0461.html