RSS feed

nss-pam-ldapd, AD and binding

[Date Prev][Date Next] [Thread Prev][Thread Next]

nss-pam-ldapd, AD and binding

Hello.  I want to set up pam+nss ldap support against an AD server
(preferably not using e.g. centrify), but I have a bit of a problem.

The AD installation in question does not allow anonymous search, so I
have to bind.  I *could* add a bind user with password and all, but this
is quite a lot of pain (I need to change the password of that user all
the time, I need passwords written down, etc, etc).

What I'd like is for my pam module to bind to AD using short form
( or DOMAIN\username) -- which it has[0] -- and the
user's password (which it has).  Further, I'd like nslcd to retrieve
enough info at that time so it wouldn't have to look up anything else
(otherwise how would nss later work, since the password is now lost).

In a pinch, nslcd could cache the user password, but that sounds like a
bad idea.

Is this possible?

[0] - It would have to be configurable how to create the shortform from
      a username, but that's a lot less configuration than a binddn and
      bindpw (perhaps not a lot less, but at least it's not a password).

Henrik Grindal Bakken <>
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963  02AF 9236 D25A 8D43 6E52
To unsubscribe send an email to or see