Re: Migrating from pam-ldap

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Philip Prindeville <philipp_subx [at] redfish-solutions.com>
To: Arthur de Jong <arthur [at] arthurdejong.org>
Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Migrating from pam-ldap
Date: Mon, 20 Nov 2023 11:34:50 -0700


> On Nov 18, 2023, at 8:00 AM, Arthur de Jong <arthur@arthurdejong.org> wrote:
> 
> Hi Philip,
> 
> On Wed, 2023-11-15 at 10:16 -0700, Philip Prindeville wrote:
>> First, is there an equivalent of "groupdn" that can be configured?
> 
> There is a pam_authz_search [1] option that you can use to define
> arbitrary LDAP searches that are performed after authentication to do
> additional authorisation checks.
> 
> Enforcing that a user is a member of a particular group can probably (I
> haven't tested this) be done with something like:
> 
> pam_authz_search 
> (&(objectClass=posixGroup)(cn=mygroupname)(|(member=$dn)(memberUid=$uid)))


Okay, it was previously:

groupdn cn=PAM,ou=Groups,dc=example,dc=com

But now I think I can use:

pam_authz_search 
(&(objectClass=person)(memberOf=cn=PAM,ou=Groups,dc=example,dc=com))

Looks like this should work.

By the way, how does one accommodate spaces, etc. values in the /etc/nslcd.conf 
file?  "bindpw" or the "map" replacement attribute might include spaces, for 
instance.

Thanks,

-Philip



> 
>> Second, running OpenLDAP in debug mode, I'm seeing a *lot* of
>> traffic.  I thought the whole point of nslcd was to do caching to
>> reduce traffic?  Do I need to configure anything explicitly to have
>> caching work?
> 
> For caching it is recommended to also use (u)nscd on the system [2].
> The nslcd service does not do caching (except for some caching if
> username to DN lookups to speed up queries). The c in nslcd stands for
> "connection" not "caching" ;) The main reason to use nslcd is to have
> address space separation [3] though that is less of an issue for the
> PAM module than it is for the NSS module.
> 
> nslcd does try to flush other caches (nscd/idmapd) when it detects that
> the LDAP server was unreachable for some time so using those should be
> relatively safe.
> 
> Hope this helps,
> 
> 
> [1] https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5#pam_authz_search
> [2] https://arthurdejong.org/nss-pam-ldapd/setup
> [3] https://arthurdejong.org/nss-pam-ldapd/design
> 
> -- 
> -- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
>

Migrating from pam-ldap, Philip Prindeville
- Re: Migrating from pam-ldap, Norman Gray
  - Re: Migrating from pam-ldap, Philip Prindeville
- Re: Migrating from pam-ldap, Arthur de Jong
  - Re: Migrating from pam-ldap, Philip Prindeville

Prev by Date: Re: Migrating from pam-ldap
Next by Date: Issues w/ LDAP & PAM on Ubuntu 22.04
Previous by thread: Re: Migrating from pam-ldap
Next by thread: Issues w/ LDAP & PAM on Ubuntu 22.04