[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: openldap, pam_ldap, accounts
On Sat, Dec 04, 1999 at 12:31:05PM +1100, David J N Begley wrote:
>
> If you are trying to move certain users entirely out of /etc/* files to an
> LDAP directory (but still have them act/react like normal UNIX users), then at
> the very least you will need both nss_ldap and pam_ldap.
>
Actually it depends on which PAM module you are using. If you are using
pam_pwdb, then nss_ldap will fail since pwdb tried to replicate what libc
does (badly IMO). If you use pam_unix, then the normal nss_ldap module
will suffice for authentication (so long as the nss_ldap config contains a
bind DN with enough priviledges to return a password field).
For password changing you will need pam_ldap, so it can talk directly with
the ldap server.
The nss_ldap module will keep a "shadow-like" system by using a seperate
file for binddn and bind password with correct perms (root.shadow 640).
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org - collinbm@djj.state.va.us - bmc@visi.net '
`---=========------=======-------------=-=-----=-===-======-------=--=---'