[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using LDAP as central authentication unit

To: openldap-technical@openldap.org
Subject: Re: using LDAP as central authentication unit
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Tue, 26 Feb 2008 11:13:56 +0200
Cc: Hamidreza Hamedtoolloei <hamedtoolloei@yahoo.com>
Content-disposition: inline
In-reply-to: <517016.89831.qm@web37312.mail.mud.yahoo.com>
References: <517016.89831.qm@web37312.mail.mud.yahoo.com>
User-agent: KMail/1.9.7

On Monday 25 February 2008 20:52:08 Hamidreza Hamedtoolloei wrote:
> so if a user is in both /etc/passwd and ldap, linux authentication is used.
> However, if a user is ONLY in ldap directory, linux authentication fails
> and ldap is called. Analysing the  case that  a  user  is only in the
> etc/passwd:
> In this case, there are some activities in the ldap site which I dont
> understand. If a user is only  in etc/passwd and pam.d/system.auth file
> says call ldap only if linux fails, then why ldap is called when linux
> authentication is successful?

Because, this is NOT PAM. It is a NSS lookup. For example, when you type 'ls', 
the filesystem returns the uid that owns the files. To show the username of 
the owner, the c library invokes a function from nss, to look up the 
username. This has nothing to do with pam. In a similar way, group 
memberships have nothing (much) to do with PAM, but with nss.

> You say this is expected... but if I understood the pam.d/system.auth file
> correctly, ldap should not be called if a user is only in etc/passwd

We can't tell, as you haven't provided your /etc/nsswitch.conf file, and none 
of the queries from your log look like pam_ldap, they look more like 
nss_ldap ...

Regards,
Buchan

References:
- Re: using LDAP as central authentication unit
  - From: Hamidreza Hamedtoolloei <hamedtoolloei@yahoo.com>

Prev by Date: Re: REF: Getting Started - LDAP+PDC
Next by Date: Re: Redirect bind requests to another server
Index(es):
- Chronological
- Thread