I have nss & pam configured so that I can authenticate linux users via LDAP against my companies AD server. All works fine except password are sent in plain text. For reasons out of my control our AD server does not support ssl/tls and I dont think I can convince them to turn it on. Is it possible to configure this so that passwords are hashed before they are sent. So in other words AD stores passwords hashed so why cant I just configure nss & pam ldap to send the password already hashed and then the hash be compared on the ldap server. I think I have configured other software packages to do this in the past…
Linux – Can nss/pam ldap send password to ldap server already hashed
active-directoryldaplinuxnsswitch.confSecurity
Best Answer
An alternative would be to use Kerberos5 instead of a LDAP simple bind simply via
pam_krb5for authentication only.libnisswould then only use LDAP to resolve users. This way there's at least no plain text password transmission, but all the LDAP queries are of course transmitted in plain text - Note that the account needed for the simple bind to query the directory should be Domain Guest or some highly unprivileged account etc.This is also trivial to do.