Re: NSS vs. PAM in nss-pam-ldapd and Active Directory

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: NSS vs. PAM in nss-pam-ldapd and Active Directory
Date: Mon, 06 Aug 2012 20:20:26 +0200

On Tue, 2012-07-31 at 09:02 -0500, Troy Engel wrote:
> I'm trying to understand the relationship between the two modules and if
> we actually need both. If a RHEL6 server is configured to use KRB5
> (/etc/krb5.conf, pam_krb5), are *both* nslcd.conf and pam_ldap.conf
> (.so) needed? nsswitch.conf is the usual 'files ldap', Win2k8R2 AD.

The NSS module provides name lookups from LDAP. This is generally user
names and group membership but can also include host names, network
names and a few others.

The PAM module is mainly used for authentication and authorisation
checks. If you use pam_krb5 for authentication you don't need pam_ldap.
The only added value that the pam_ldap module could have is to implement
extra access controls (e.g. with the pam_authz_search option or checking
account expiry if pam_krb5 doesn't do that).

Using nss_ldap is generally a prerequisite for pam_ldap and
authentication will fail (also with pam_krb5) if the NSS layer can't
find the user.

Hope this clarifies things.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

NSS vs. PAM in nss-pam-ldapd and Active Directory, Troy Engel
- Re: NSS vs. PAM in nss-pam-ldapd and Active Directory, Arthur de Jong

Prev by Date: NSS vs. PAM in nss-pam-ldapd and Active Directory
Next by Date: definable dns URI
Previous by thread: NSS vs. PAM in nss-pam-ldapd and Active Directory
Next by thread: definable dns URI