RSS feed

Re: PAM configuration file

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: PAM configuration file

On Mon, 2010-03-15 at 12:15 -0400, Ryan Steele wrote:
> I've gathered from the nss-pam-ldap documentation that most of the old
> libpam-ldap configuration options (managed by /etc/ldap.conf on
> Ubuntu/Debian) have been removed.

The PAM module in nss-pam-ldapd is not related to the pam_ldap module
(from PADL) and was mostly implemented by Howard Chu.

> Other than the pam_ldap man page, which appears to list a few
> supported pam.d module arguments, the only options I could find which
> have been preserved from libpam-ldap were in the NEWS file, and
> consist of:
>  * deref
>  * ssl
>  * ldap_version

The PAM and NSS functionality share the same LDAP configuration options
(search base, filters, attribute mapping, etc). The same fail-over,
timing, and other functionality is used.

Functionality for these pam_ldap options is currently not implemented:
  pam_lookup_policy, pam_check_host_attr, pam_check_service_attr,
  pam_groupdn, pam_min_uid, pam_max_uid, pam_template_login_attribute,
  pam_template_login, pam_password (only exop and exop_send_old are
  currently automatically tried), pam_password_prohibit_message and

> Is it safe to say that other than these, none of the old options
> in /etc/ldap.conf used by libpam-ldap are supported with libpam-ldapd
> (e.g., the pam_filter option, which restricts access to TTY's based on
> group memberships)?  I just wanted to verify so I know what
> functionality will have to be offloaded to another part of the
> system/application.

Currently nss-pam-ldapd does not implement authorisation checks (the
nssov overlay does implement some btw). I would like authorisation to be
a bit more flexible than with pam_ldap. More information can be found in
this thread:

Feedback on the patch, suggestions and improvements are welcome.

-- arthur - - --
To unsubscribe send an email to or see