LDAP authentication confusion
Ben Morrow
ben at morrow.me.uk
Mon Jul 15 22:53:16 UTC 2013
Quoth Jan Bramkamp <crest at rlwinm.de>:
> On 15.07.2013 21:51, Daniel Eischen wrote:
> >
> > Wouldn't it be easier just to edit /etc/nsswitch.conf
> > anyway?
> PAM and NSS switch are two different subsystems. NSS is just for
> resource lookups (users, groups, hosts, ...). PAM is for access control.
>
> With ldap in nsswitch.conf for users and groups you can lookup a LDAP
> user but the user can't log into $service through PAM. This requires
> pam_ldap.so in pam.d/$service.
The default pam_unix.so calls getpwent, so if nss_ldap returns cryptable
passwords in its result I think pam_unix can authenticate against those.
This is not the same as authenticating by LDAP bind, but may end up
accepting the same passwords.
Ben
More information about the freebsd-stable
mailing list