Ldap NSS PAM Samba

Jan-Hendrik Zab jan.h.zab at googlemail.com
Fri Jul 11 13:36:38 UTC 2008 

On Thu, 10 Jul 2008 18:03:04 -0600
Tim Judd <tajudd at gmail.com> wrote:

> sgmayo at mail.bloomfield.k12.mo.us wrote:
> > I am trying to setup a FreeBSD server with samba that uses
> > OpenLdap.  I have installed everything and was doing some
> > configuring.  I set this all up once before on a Linux box, but I
> > basically just went through the motions and really was not sure
> > what all I did...but it worked.  Now I want to understand
> > everything so that I know exactly what all I did. :)
> >
> > I have the following:
> > I installed OpenLdap which put ldap.conf in /usr/local/etc/openldap.
> > I installed PAM which put ldap.conf.dist in /usr/local/etc.
> > I installed NSS which put nss_ldap.conf in /usr/local/etc.
> >
> > >From looking at them I assume that the last two are the same file
> > >and one
> > of them just needs to be renamed to ldap.conf and configured for
> > PAM and NSS, is that correct?
> >
> > The ldap.conf in /usr/local/etc/openldap is a different config file
> > even though it has the same name?  It is used for openldap and the
> > other is used for PAM and NSS?
> >
> > Thanks for any info.
> >
> >   
> openldap/ldap.conf is the OpenLDAP client configuration.  You're
> likely looking for the LDAP server configuration, openldap/slapd.conf
> 
> etc/ldap.conf is for PAM, and etc/nss_ldap.conf are not to be
> merged. I've played ***VERY*** briefly with LDAP authentication
> through PAM and NSS, and both were required.  I can't quote easily
> what the difference between NSS and PAM is, but all the docs I
> referenced from Google when I searched said I needed both.

It's theoretically possible to use only one file for all three, but you
really need to know what you're doing. (with symlinks)

OpenLDAP tools, pam_ldap and nss_ldap have more or less the same
configuration options. But there are a few quite subtle differences
between them, the easiest thing is to just configure them separately
while having a look at the appropriate man page.

Additionally, they don't start to bark at you, when you configure a parameter that does not exist (in pam_ldap or nss_ldpa only etc.).
It wouldn't be easy to find out that the syntax of one of the three was
changed, etc.

	Jan-Hendrik Zab

More information about the freebsd-questions mailing list