RSS feed

Re: PAM configuration file

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: PAM configuration file

Arthur de Jong wrote:
> On Mon, 2010-03-15 at 12:15 -0400, Ryan Steele wrote:
>> I've gathered from the nss-pam-ldap documentation that most of the old
>> libpam-ldap configuration options (managed by /etc/ldap.conf on
>> Ubuntu/Debian) have been removed.
> The PAM module in nss-pam-ldapd is not related to the pam_ldap module
> (from PADL) and was mostly implemented by Howard Chu.
>> Other than the pam_ldap man page, which appears to list a few
>> supported pam.d module arguments, the only options I could find which
>> have been preserved from libpam-ldap were in the NEWS file, and
>> consist of:
>>  * deref
>>  * ssl
>>  * ldap_version
> The PAM and NSS functionality share the same LDAP configuration options
> (search base, filters, attribute mapping, etc). The same fail-over,
> timing, and other functionality is used.
> Functionality for these pam_ldap options is currently not implemented:
>   pam_lookup_policy, pam_check_host_attr, pam_check_service_attr,
>   pam_groupdn, pam_min_uid, pam_max_uid, pam_template_login_attribute,
>   pam_template_login, pam_password (only exop and exop_send_old are
>   currently automatically tried), pam_password_prohibit_message and
>   pam_sasl_mech.

Great, thank you very much for providing this concrete list.

>> Is it safe to say that other than these, none of the old options
>> in /etc/ldap.conf used by libpam-ldap are supported with libpam-ldapd
>> (e.g., the pam_filter option, which restricts access to TTY's based on
>> group memberships)?  I just wanted to verify so I know what
>> functionality will have to be offloaded to another part of the
>> system/application.
> Currently nss-pam-ldapd does not implement authorisation checks (the
> nssov overlay does implement some btw). I would like authorisation to be
> a bit more flexible than with pam_ldap. More information can be found in
> this thread:
> Feedback on the patch, suggestions and improvements are welcome.

This is kind of along my line of thinking on this subject as well.  I will test 
it as soon as I can.  And, not to hijack
this thread, but your patch for the nss_initgroups_ignoreusers option seems to 
work well - we've incorporated it into
the package we use, and I'm pretty pleased with how it works.  Cheers!
To unsubscribe send an email to or see