lists.arthurdejong.org
RSS feed

Re: separate Unix domain sockets for NSS and PAM

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: separate Unix domain sockets for NSS and PAM



On Wed, 2019-09-18 at 18:46 +0200, Michael Ströder wrote:
> I'm using nss-pam-ldapd's PAM and NSS frontend modules for sending
> NSS and PAM requests to my own custom demon implemented with Python.
> 
> Now for various reasons I'm trying to isolate things a bit more. E.g.
> in my setup I'd like to have separate NSS and PAM services listening
> on separate sockets.

The easiest thing for now would probably to compile the code twice,
once with --with-nslcd-socket=PATH1 and once with --with-nslcd-
socket=PATH2. You could also compile once with --disable-nss and the
other with --disable-pam.

> Before I start developing a patch:
> Would that be a feature accepted into upstream?

I don't see a very compelling use case for this in general use. With
the current implementation the PAM lookups also use a lot of the NSS
definitions (filters, search base, etc.) so running two daemons with
differing configurations would also make things more complex without
very much benefit.

Feel free to try to convince me though. ;) If there are good arguments
to have this in nss-pam-ldapd I'm willing to listen.

Thanks,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --