Re: Can I use pam_ldap without nss?

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Fri, 2018-06-15 at 11:40 -0400, Jonathan Bowman wrote:
> Thank you! That is exactly what I needed to know. So, as long as the
> username and group name is in /etc/passwd and /etc/groups, then
> pam_ldap should work (provided /etc/pam.d is setup correctly)?
> 
> That's the part that is confusing me -- how does pam_ldap know which
> LDAP attributes to align with the usernames in /etc/passwd? I am sure
> I am just overlooking some obvious documentation -- feel free to set
> me straight.

The PAM stack basically works on the username. One of the steps is to
get the full account properties via NSS. This includes everything in
/etc/passwd and /etc/shadow.

That is what pam_unix does normally and you can even just use pam_unix
if you have nss_ldap expose password hashes via shadow lookups (this is
how you can get nss-pam-ldapd working on systems without PAM).

The other way around would work similarly. In that case pam_unix will
not be able to complete the authentication (because of missing or wrong
password hashes in /etc/shadow) and pam_ldap will delegate to nslcd and
do LDAP lookups.

In fact nslcd will lookup all the usual shadow attributes available in
LDAP and perform the same checks that pam_unix usually does.

The systems are set up reasonably flexible and you can mix and match
all kinds of lookups.

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/