Re: openldap, pam_ldap, accounts

[David J N Begley <david@avarice.nepean.uws.edu.au>]

On Fri, 3 Dec 1999, John P. Looney wrote:

> From: John P. Looney <jplooney-ldap@online.ie>
[...]
> Kate

???

> Is it nessary to use ldap_pam AND ldap_nss ? I was just using ldap_nss &
> it wasn't working very well...

Depends what you are trying to achieve.

- PAM (pluggable authentication modules) is an authentiction API so that you
  don't need to keep recompiling applications if/as/when you change
  authentication mechanisms (local passwords, remote passwords, ID cards,
  fingerprints, etc.).  PAM only handles that one issue - authentication.

- NSS (name service switch) is really just an admin-controlled backend for
  the existing UNIX naming functions (gethostbyname, getpwent, etc.), so that
  you can configure alternate (to the traditional /etc/* files) naming
  sources (NIS, etc.).

In terms of LDAP, if you use pam_ldap then your authentication procedures can
talk to a remote LDAP server to authenticate users - but nothing else about
your system changes (ie., you still need to have user accounts in /etc/*
files).

If you use nss_ldap then you can remove user entries from /etc/* files and
have them live entirely in a remote LDAP server, but this is only handling
naming/lookup functions (eg., converting UIDs to logins in
"ls" output).  Authentication will try and use whatever the PAM module has
been configured to use (it may call NSS functions and thus "appear" to work
sometimes, or it may try and access /etc/* files directly in which case it
will fail as the users don't exist there anymore).

If you are trying to move certain users entirely out of /etc/* files to an
LDAP directory (but still have them act/react like normal UNIX users), then at
the very least you will need both nss_ldap and pam_ldap.

Cheers..


dave