lists.arthurdejong.org
RSS feed

Re: Migrating from pam-ldap

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Migrating from pam-ldap



Hi Philip,

On Wed, 2023-11-15 at 10:16 -0700, Philip Prindeville wrote:
> First, is there an equivalent of "groupdn" that can be configured?

There is a pam_authz_search [1] option that you can use to define
arbitrary LDAP searches that are performed after authentication to do
additional authorisation checks.

Enforcing that a user is a member of a particular group can probably (I
haven't tested this) be done with something like:

pam_authz_search 
(&(objectClass=posixGroup)(cn=mygroupname)(|(member=$dn)(memberUid=$uid)))

> Second, running OpenLDAP in debug mode, I'm seeing a *lot* of
> traffic.  I thought the whole point of nslcd was to do caching to
> reduce traffic?  Do I need to configure anything explicitly to have
> caching work?

For caching it is recommended to also use (u)nscd on the system [2].
The nslcd service does not do caching (except for some caching if
username to DN lookups to speed up queries). The c in nslcd stands for
"connection" not "caching" ;) The main reason to use nslcd is to have
address space separation [3] though that is less of an issue for the
PAM module than it is for the NSS module.

nslcd does try to flush other caches (nscd/idmapd) when it detects that
the LDAP server was unreachable for some time so using those should be
relatively safe.

Hope this helps,


[1] https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5#pam_authz_search
[2] https://arthurdejong.org/nss-pam-ldapd/setup
[3] https://arthurdejong.org/nss-pam-ldapd/design

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --