RSS feed

Re: NSS vs. PAM in nss-pam-ldapd and Active Directory

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: NSS vs. PAM in nss-pam-ldapd and Active Directory

On Tue, 2012-07-31 at 09:02 -0500, Troy Engel wrote:
> I'm trying to understand the relationship between the two modules and if
> we actually need both. If a RHEL6 server is configured to use KRB5
> (/etc/krb5.conf, pam_krb5), are *both* nslcd.conf and pam_ldap.conf
> (.so) needed? nsswitch.conf is the usual 'files ldap', Win2k8R2 AD.

The NSS module provides name lookups from LDAP. This is generally user
names and group membership but can also include host names, network
names and a few others.

The PAM module is mainly used for authentication and authorisation
checks. If you use pam_krb5 for authentication you don't need pam_ldap.
The only added value that the pam_ldap module could have is to implement
extra access controls (e.g. with the pam_authz_search option or checking
account expiry if pam_krb5 doesn't do that).

Using nss_ldap is generally a prerequisite for pam_ldap and
authentication will fail (also with pam_krb5) if the NSS layer can't
find the user.

Hope this clarifies things.

-- arthur - - --
To unsubscribe send an email to or see