Re: Migrating from pam-ldap
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Migrating from pam-ldap
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: Philip Prindeville <philipp_subx [at] redfish-solutions.com>, nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Migrating from pam-ldap
- Date: Sat, 18 Nov 2023 16:00:19 +0100
Hi Philip,
On Wed, 2023-11-15 at 10:16 -0700, Philip Prindeville wrote:
> First, is there an equivalent of "groupdn" that can be configured?
There is a pam_authz_search [1] option that you can use to define
arbitrary LDAP searches that are performed after authentication to do
additional authorisation checks.
Enforcing that a user is a member of a particular group can probably (I
haven't tested this) be done with something like:
pam_authz_search
(&(objectClass=posixGroup)(cn=mygroupname)(|(member=$dn)(memberUid=$uid)))
> Second, running OpenLDAP in debug mode, I'm seeing a *lot* of
> traffic. I thought the whole point of nslcd was to do caching to
> reduce traffic? Do I need to configure anything explicitly to have
> caching work?
For caching it is recommended to also use (u)nscd on the system [2].
The nslcd service does not do caching (except for some caching if
username to DN lookups to speed up queries). The c in nslcd stands for
"connection" not "caching" ;) The main reason to use nslcd is to have
address space separation [3] though that is less of an issue for the
PAM module than it is for the NSS module.
nslcd does try to flush other caches (nscd/idmapd) when it detects that
the LDAP server was unreachable for some time so using those should be
relatively safe.
Hope this helps,
[1] https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5#pam_authz_search
[2] https://arthurdejong.org/nss-pam-ldapd/setup
[3] https://arthurdejong.org/nss-pam-ldapd/design
--
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
