RSS feed

NSS vs. PAM in nss-pam-ldapd and Active Directory

[Date Prev][Date Next] [Thread Prev][Thread Next]

NSS vs. PAM in nss-pam-ldapd and Active Directory

Hi Arthur et. al,

I'm trying to understand the relationship between the two modules and if
we actually need both. If a RHEL6 server is configured to use KRB5
(/etc/krb5.conf, pam_krb5), are *both* nslcd.conf and pam_ldap.conf
(.so) needed? nsswitch.conf is the usual 'files ldap', Win2k8R2 AD.

It seems that we can comment out in system-auth (leaving and it works fine; I see the README indicates:

"The PAM module that is currently implemented contains functionality for
authentication, account management, password management and session
management. The nslcd daemon currently implements authentication,
authorisation and password modification. The OpenLDAP nssov overlay also
implements session functionality."

Does this mean NSS doesn't support groups from AD and this is a PAM
module function, or...? In practice, when is only one module needed over
the other or are both always required for some functionality I'm not

Thanks for any insight! :)


Troy Engel

To unsubscribe send an email to or see