Different LDAP server for NSS vs PAM?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Alexander Perlis <aperlis [at] math.lsu.edu>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Different LDAP server for NSS vs PAM?
Date: Wed, 10 Jul 2024 23:16:51 -0500

I believe the majority of LDAP traffic is for NSS, with only
occasional needs for PAM. Thus I am considering one master LDAP server
for PAM (for authentication and password changes, has all our LDAP
data including custom schemas), but a different simpler LDAP server
for NSS (this one is a syncrepl copy of portions of the master, but
wouldn't have password hashes and wouldn't have our custom schemas, it
would have only the fields needed for NSS, and this server would also
sit closer to the client network). The idea is to increase NSS
efficiency, while keeping sensitive data in one place. Perhaps this is
a silly idea or approach to things --- constructive flames welcome,
I'll learn something.

My question is whether libpam-ldapd and libnss-ldapd can be taught to
use different LDAP servers? My impression is they both just talk to
nslcd, and nslcd just has a notion of a single pool of (identical)
LDAP servers.

Different LDAP server for NSS vs PAM?, Alexander Perlis

Prev by Date: Re: [PATCH v2 0/2] Fix memory corruption on exit path
Next by Date: getent results under nss-pam-ldapd
Previous by thread: Re: [PATCH v2 0/2] Fix memory corruption on exit path
Next by thread: getent results under nss-pam-ldapd