Re: PAM configuration file

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: PAM configuration file
Date: Mon, 15 Mar 2010 20:49:20 +0100

On Mon, 2010-03-15 at 12:15 -0400, Ryan Steele wrote:
> I've gathered from the nss-pam-ldap documentation that most of the old
> libpam-ldap configuration options (managed by /etc/ldap.conf on
> Ubuntu/Debian) have been removed.

The PAM module in nss-pam-ldapd is not related to the pam_ldap module
(from PADL) and was mostly implemented by Howard Chu.

> Other than the pam_ldap man page, which appears to list a few
> supported pam.d module arguments, the only options I could find which
> have been preserved from libpam-ldap were in the NEWS file, and
> consist of:
>
>  * deref
>  * ssl
>  * ldap_version

The PAM and NSS functionality share the same LDAP configuration options
(search base, filters, attribute mapping, etc). The same fail-over,
timing, and other functionality is used.

Functionality for these pam_ldap options is currently not implemented:
  pam_lookup_policy, pam_check_host_attr, pam_check_service_attr,
  pam_groupdn, pam_min_uid, pam_max_uid, pam_template_login_attribute,
  pam_template_login, pam_password (only exop and exop_send_old are
  currently automatically tried), pam_password_prohibit_message and
  pam_sasl_mech.

> Is it safe to say that other than these, none of the old options
> in /etc/ldap.conf used by libpam-ldap are supported with libpam-ldapd
> (e.g., the pam_filter option, which restricts access to TTY's based on
> group memberships)?  I just wanted to verify so I know what
> functionality will have to be offloaded to another part of the
> system/application.

Currently nss-pam-ldapd does not implement authorisation checks (the
nssov overlay does implement some btw). I would like authorisation to be
a bit more flexible than with pam_ldap. More information can be found in
this thread:
  http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00022.html

Feedback on the patch, suggestions and improvements are welcome.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

PAM configuration file, Ryan Steele
- Re: PAM configuration file, Arthur de Jong

Prev by Date: PAM configuration file
Next by Date: Re: PAM configuration file
Previous by thread: PAM configuration file
Next by thread: Re: PAM configuration file