Re: Login auth. via LDAP?

["David E. Storey" <dave@tamos.net>]

Dirk Vleugels wrote:

> does anyone on this list actually use LDAP for user authentification
> on Linux/Solaris/AIX etc.? I was able to built the nss_ldap.so module,
> editred nsswitch.conf (to include ldap for passwd & group), but the login
> process fails. Running the test programm, it dumps core when calling
> endgrent() and endpwent(). But unly if linked with a shared nss_ldap.so.
> Compiling it static, it passes all tests. This happens on Solaris 2.5/2.5.1/
> 2.6. Both with OpenLDAP and the Netscape SDK (with netscape server).

Yes.  I'm using nss_ldap.so at home and pam_ldap.so on a production server.
(Both run Linux.) My experience has been that using PAM rather than nss is
_the_ way to go.  Running nss_ldap on the same server that was running slapd
led to loads of crashes when accessing it from the network.  Besides, using PAM
allows you to use whatever hash mechanism slapd supports.  The downside is that
not everything supports PAM, SSH being the most notable.  I've seen a patch for
SSH to add PAM support, but it was for an older ssh and the patch no longer
patches or works.  Otherwise, WU-IMAP, ProFTPD, login, passwd, su and anything
else I'm forgetting all work great for me.  The only caveat is that I have to
link everything to -lldapssl30 (Netscape's ssl-ldap sdk) and -lpthread. I'm
sure there's a better way, I just haven't had the time.

d