Re: CAN LOGIN WORK WITHOUT PAM

[Jason Englander <jason@englanders.cc>]

On Tue, 22 Apr 2003, Nitin k. wrote:

> My question is what's the difference in getent and login as far as
> LDAP is concerned, if any AND Is PAM support imperative for the
> Login prog. to work with LDAP ?

All is well here with Slackware (as old as Slackware 7.0, as new as
Slackware 9.0), Linux-PAM 0.77
(ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library/), OpenLDAP 2.0.27,
nss_ldap 205 (ftp://ftp.padl.com/pub/), and pam_ldap 161
(ftp://ftp.padl.com/pub/).

I replaced the Slack packages for shadow
(ftp://ftp.pld.org.pl/software/shadow/) and util-linux
(ftp://ftp.kernel.org/pub/linux/utils/util-linux/).  Compile those with
PAM support and you'll have a pamified login, chsh, chfn, passwd, and so
on.

getent, id, ps, finger, and other utils that use low-level system
functions use nss to look up user info.  If you have nss_ldap installed,
they'll be able to see LDAP accounts.  ...but login, sshd, kdm/gdm/xdm,
and so on, all need to be built against libpam - unless they have direct
LDAP support like auth_ldap for Apache, mod_ldap for Proftpd, etc.

I remember seeing somewhere (can't remember where now of course),
something that could supposedly authenticate with a getent call, but
I would imagine that wouldn't work with shadow passwords and it
would depend on what your LDAP server would return for the password
- and whether or not it hashed it, if it's stored as SSHA1,
cleartext, crypt (the regular one or the md5-ish one), and all that.

  Jason

-- 
Jason Englander <jason@englanders.cc>
394F 7E02 C105 7268 777A  3F5A 0AC0 C618 0675 80CA