[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap, pam_ldap, accounts

On Sat, Dec 04, 1999 at 12:31:05PM +1100, David J N Begley mentioned:
> On Fri, 3 Dec 1999, John P. Looney wrote:
> 
> > From: John P. Looney <jplooney-ldap@online.ie>
> [...]
> > Kate
> ???

 http://www.redbrick.dcu.ie/~valen/kate.html

> > Is it nessary to use ldap_pam AND ldap_nss ? I was just using ldap_nss &
> > it wasn't working very well...
> 
> Depends what you are trying to achieve.
> 
> - PAM (pluggable authentication modules) is an authentiction API so that you
>   don't need to keep recompiling applications if/as/when you change
>   authentication mechanisms (local passwords, remote passwords, ID cards,
>   fingerprints, etc.).  PAM only handles that one issue - authentication.
> 
> - NSS (name service switch) is really just an admin-controlled backend for
>   the existing UNIX naming functions (gethostbyname, getpwent, etc.), so that
>   you can configure alternate (to the traditional /etc/* files) naming
>   sources (NIS, etc.).

 OK. I've a few problems with both of them. I like NSS, in that it's a lot
easier to control, and I'm more familiar with it than PAM. But, if using
both doesn't conflict, all the better. I'll use both.

 The main problem with nss_ldap isn't the round-trip time. It doesn't seem
to cache information. This isn't a big deal with authentication...but if
you go into a directory that's owned by a user whose UIDs are stored on the
LDAP server, and do an 'ls -l' on a hundred or so files, it can take a
minute or two complete. NIS is two orders of magnitude faster because of
this. That said, I've now worked out how to get OpenLDAP to index based on
UIDnumbers, so it is a little faster now.

On Sat, Dec 04, 1999 at 12:31:05PM +1100, David J N Begley mentioned:
> If you are trying to move certain users entirely out of /etc/* files to an
> LDAP directory (but still have them act/react like normal UNIX users), then at
> the very least you will need both nss_ldap and pam_ldap.

 OK. I can live with that.

On Sat, Dec 04, 1999 at 08:37:43AM -0500, Ben Collins mentioned:
> On Sat, Dec 04, 1999 at 12:31:05PM +1100, David J N Begley wrote:
> > If you are trying to move certain users entirely out of /etc/* files to an
> > LDAP directory (but still have them act/react like normal UNIX users), then at
> > the very least you will need both nss_ldap and pam_ldap.
> 
> Actually it depends on which PAM module you are using. If you are using
> pam_pwdb, then nss_ldap will fail since pwdb tried to replicate what libc
> does (badly IMO). If you use pam_unix, then the normal nss_ldap module
> will suffice for authentication (so long as the nss_ldap config contains a
> bind DN with enough priviledges to return a password field).

 Should I use the exact /etc/pam.d files that come with pam_ldap then ?
They are markedly different than the ones that come with RedHat 6.1

John

-- 
Microsoft. The best reason in the world to drink beer.
http://www.redbrick.dcu.ie/~valen