[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap, pam_ldap, accounts

To: openldap-general@OpenLDAP.org
Subject: Re: openldap, pam_ldap, accounts
From: David J N Begley <david@avarice.nepean.uws.edu.au>
Date: Tue, 7 Dec 1999 21:54:52 +1100 (EST)
In-reply-to: <19991206110617.G3858@online.ie>

On Mon, 6 Dec 1999, John P. Looney wrote:

> > > Kate
> > ???
> http://www.redbrick.dcu.ie/~valen/kate.html

Fair enough!  :-)

> > - PAM (pluggable authentication modules) is an authentiction API so that you
[...]
> > - NSS (name service switch) is really just an admin-controlled backend for
[...]
> OK. I've a few problems with both of them.

They're definitely not perfect, that's for sure.  ;-)

> I like NSS, in that it's a lot easier to control, and I'm more familiar with
> it than PAM. But, if using both doesn't conflict, all the better. I'll use
> both.

They don't conflict, they complement;  we run both.  As noted earlier, it
depends what you're trying to achieve (some people are happy with just NSS
plus a Web page for changing passwords - cool).

Novell has a diagram showing both APIs - it's in relation to their NDS for
Solaris product, but holds pretty true for pam_ldap and nss_ldap, too:

http://www.novell.com/passport/soltoolkit/presentations/nds4sol_tech/slideshow/130.html

Novell has a PowerPoint version you can download to make reading the picture
easier.  ;-)

http://www.novell.com/passport/soltoolkit/nds4solaris.html

> The main problem with nss_ldap isn't the round-trip time. It doesn't seem
> to cache information.

That's left to the host system - it just does what it's told, to perform a
lookup.  Systems like Solaris come with "nscd" (name service cache daemon),
not a perfect solution in itself but does the job of caching element/entry
lookups (and works).  As Luke has already indicated, it doesn't generally
cache enumerations (confirmed behaviour).  As long as you don't enter:

tcsh% cd ~jo<TAB>

and expect a quick completion response...  ;-)

> This isn't a big deal with authentication...but if you go into a directory
> that's owned by a user whose UIDs are stored on the LDAP server, and do an
> 'ls -l' on a hundred or so files, it can take a minute or two complete.

Indexing on uidNumber (as you've done) helps, but doesn't reduce network
traffic (ie., you're still limited by query latency, incl. performance of LDAP
server under load, etc.);  something like "nscd" provides localised caching
for these instances.

> Should I use the exact /etc/pam.d files that come with pam_ldap then ?
> They are markedly different than the ones that come with RedHat 6.1

I treat the files that come with pam_ldap as a guide only - PAM can be so
annoying to get the behaviour "just right" in many cases (eg., we use unix
followed by ldap as auth modules, with module stacking set to
"sufficient" then "optional" in order to ensure reasonably transparent
behaviour).

Cheers..

dave

References:
- Re: openldap, pam_ldap, accounts
  - From: "John P. Looney" <jplooney-ldap@online.ie>

Prev by Date: Re: openldap, pam_ldap, accounts
Next by Date: Changing paswords in an openldap directory.
Index(es):
- Chronological
- Thread