Re: Can I use pam_ldap without nss?

[Jonathan Bowman <bowmanjd [at] lancastermennonite.org>]

Thank you! That is exactly what I needed to know. So, as long as the username and group name is in /etc/passwd and /etc/groups, then pam_ldap should work (provided /etc/pam.d is setup correctly)?

That's the part that is confusing me -- how does pam_ldap know which LDAP attributes to align with the usernames in /etc/passwd? I am sure I am just overlooking some obvious documentation -- feel free to set me straight.

Thanks

Jonathan Bowman

On Fri, Jun 15, 2018 at 11:36 AM, Arthur de Jong <arthur [at] arthurdejong.org> wrote:

On Fri, 2018-06-15 at 07:11 -0400, Jonathan Bowman wrote:
> On Alpine linux, a lightweight distro based on musl, libnss_ldap.so.2
> does not compile, as glibc is unavailable.
>
> However, Alpine does have the nss-pam-ldapd package, which includes
> everything but nss. It even has a running nslcd, but without
> libnss_ldap linked.
>
> Is there any way I can use the parts that are working? In other
> words, how might one use pam_ldap without nss?

The PAM stack is more or less separate from the NSS stack but for it to
work correctly the user accounts will have to be available on the
system. So having the users available from NSS (i.e. `getent passwd
username` works) is a prerequisite to be able to log in using PAM with
that username.

I know there are a number of systems that populate /etc/passwd and
/etc/shadow with information from LDAP (but I don't know of any nicely
packaged solutions that do that). Then you would only use PAM for the
password authentication and possible access controls.

--
-- arthur - arthur [at] arthurdejong.org - https://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/