RSS feed

Re: Can I use pam_ldap without nss?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Can I use pam_ldap without nss?

On Fri, 2018-06-15 at 11:40 -0400, Jonathan Bowman wrote:
> Thank you! That is exactly what I needed to know. So, as long as the
> username and group name is in /etc/passwd and /etc/groups, then
> pam_ldap should work (provided /etc/pam.d is setup correctly)?
> That's the part that is confusing me -- how does pam_ldap know which
> LDAP attributes to align with the usernames in /etc/passwd? I am sure
> I am just overlooking some obvious documentation -- feel free to set
> me straight.

The PAM stack basically works on the username. One of the steps is to
get the full account properties via NSS. This includes everything in
/etc/passwd and /etc/shadow.

That is what pam_unix does normally and you can even just use pam_unix
if you have nss_ldap expose password hashes via shadow lookups (this is
how you can get nss-pam-ldapd working on systems without PAM).

The other way around would work similarly. In that case pam_unix will
not be able to complete the authentication (because of missing or wrong
password hashes in /etc/shadow) and pam_ldap will delegate to nslcd and
do LDAP lookups.

In fact nslcd will lookup all the usual shadow attributes available in
LDAP and perform the same checks that pam_unix usually does.

The systems are set up reasonably flexible and you can mix and match
all kinds of lookups.

-- arthur - - --
To unsubscribe send an email to or see