[opensuse-factory] Query on pam_ldap, nss_ldap dependency
Hello, I am new to this group & subject. I have some query on pam_ldap, nss_ldap I downloaded the latest openpam-20120526, openldap-2.4.35, pam_ldap-186, nss_ldap-265 (from PADL.com) I want to enable PAM with authentication from remote LDAP server. I am not clear of minimum package requirement, full flow, configurations and whether some deamon is involved.
From README of pam_ldap-186:
Here are some possible deployment scenarios: o pam_ldap with account information in /etc flat files, kept manually in sync with LDAP o pam_ldap with account information in LDAP, using nss_ldap o pam_ldap with account information in NIS, using ypldapd It looks like PAM is coupled with NSS. For “pam_ldap” to work with LDAP, nss_ldap is needed. On Ubuntu synaptic also, I found that both pam_ldap, nss_ldap packages have to be installed or removed together. I browsed the source code of pam_ldap and it was directly using openldap APIs. Did not find pam_ldap directly using nss_ldap APIs. I want PAM LDAP functionality, without NSS, unless nss_ldap is mandated by pam_ldap. Is pam_ldap using nss_ldap at runtime? Is some deamon like nslcd or nscd created by nss_ldap to serve NSS LDAP requests? Is the deamon needed? Can the PAM LDAP functionality work without nss_ldap or deamon nslcd? Also which package or deamon reads nsswitch.conf? Opennss? How is the flow from pam_ldap to nss_ldap? Is the below flow correct? openpam -> pam.d -> pam_ldap -> nss_ldap -> nslcd -> nsswitch.conf -> openldap -> ldap.conf Can we remove nss_ldap or kill nslcd and make pam_ldap work with openldap? Please let me know if some information is not clear. Thank you very much in advance, Krishna -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, I came across a previous query some what related to this topic: http://opensuse.14.x6.nabble.com/11-1-What-is-the-relationship-between-nscd-... It would be helpful if someone can provide other details requested by me. Thanks in advance, Best Regards, Krishna On 8/15/13, Krishna Prasad <kpabotla@gmail.com> wrote:
Hello,
I am new to this group & subject. I have some query on pam_ldap, nss_ldap
I downloaded the latest openpam-20120526, openldap-2.4.35, pam_ldap-186, nss_ldap-265 (from PADL.com) I want to enable PAM with authentication from remote LDAP server. I am not clear of minimum package requirement, full flow, configurations and whether some deamon is involved.
From README of pam_ldap-186:
Here are some possible deployment scenarios:
o pam_ldap with account information in /etc flat files, kept manually in sync with LDAP
o pam_ldap with account information in LDAP, using nss_ldap
o pam_ldap with account information in NIS, using ypldapd
It looks like PAM is coupled with NSS. For “pam_ldap” to work with LDAP, nss_ldap is needed. On Ubuntu synaptic also, I found that both pam_ldap, nss_ldap packages have to be installed or removed together. I browsed the source code of pam_ldap and it was directly using openldap APIs. Did not find pam_ldap directly using nss_ldap APIs. I want PAM LDAP functionality, without NSS, unless nss_ldap is mandated by pam_ldap.
Is pam_ldap using nss_ldap at runtime? Is some deamon like nslcd or nscd created by nss_ldap to serve NSS LDAP requests? Is the deamon needed? Can the PAM LDAP functionality work without nss_ldap or deamon nslcd? Also which package or deamon reads nsswitch.conf? Opennss? How is the flow from pam_ldap to nss_ldap? Is the below flow correct? openpam -> pam.d -> pam_ldap -> nss_ldap -> nslcd -> nsswitch.conf -> openldap -> ldap.conf
Can we remove nss_ldap or kill nslcd and make pam_ldap work with openldap?
Please let me know if some information is not clear.
Thank you very much in advance, Krishna
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, On Thu, Aug 15, 2013 at 07:42:45PM +0530, Krishna Prasad wrote:
Hello,
I am new to this group & subject. I have some query on pam_ldap, nss_ldap I think your question is pretty much off topic here. This list is for discussing the development of the next openSUSE Version. I don't see how your question is connected to that. We don't have openpam in Factory (nor in any of our releases) You'd probably get better answers if you directed your question to the upstream nss_ldap/pam_ldap mailing list (if something like that still exists).
I downloaded the latest openpam-20120526, openldap-2.4.35, pam_ldap-186, nss_ldap-265 (from PADL.com) I want to enable PAM with authentication from remote LDAP server. I am not clear of minimum package requirement, full flow, configurations and whether some deamon is involved.
From README of pam_ldap-186:
Here are some possible deployment scenarios:
o pam_ldap with account information in /etc flat files, kept manually in sync with LDAP
o pam_ldap with account information in LDAP, using nss_ldap
o pam_ldap with account information in NIS, using ypldapd
It looks like PAM is coupled with NSS. For “pam_ldap” to work with LDAP, nss_ldap is needed. No. Though most times both are used together. And I think there are very few use cases where it make sense to use pam_ldap without nss_ldap.
On Ubuntu synaptic also, I found that both pam_ldap, nss_ldap packages have to be installed or removed together. I browsed the source code of pam_ldap and it was directly using openldap APIs. Did not find pam_ldap directly using nss_ldap APIs. I want PAM LDAP functionality, without NSS, unless nss_ldap is mandated by pam_ldap.
Is pam_ldap using nss_ldap at runtime? No.
Is some deamon like nslcd or nscd created by nss_ldap to serve NSS LDAP requests? Is the deamon needed? Can the PAM LDAP functionality work without nss_ldap or deamon nslcd? Also which package or deamon reads nsswitch.conf? Opennss? How is the flow from pam_ldap to nss_ldap? Is the below flow correct? openpam -> pam.d -> pam_ldap -> nss_ldap -> nslcd -> nsswitch.conf -> openldap -> ldap.conf Can we remove nss_ldap or kill nslcd and make pam_ldap work with openldap? You're mixing quite a few things up here and getting these things sorted out on this mailing list is not going to work. Simply because it's offtopic here. I'd suggest you to read the existing nss and pam_ldap docuementation to get a better understanding and then ask you remaining questions on mailings list where they are better suited (e.g. PADL mailing lists, the nscld mailing list and the openldap-technical mailing list).
regards, Ralf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Thank you very much for your answers. I will try to approach the mailing list mentioned by you. I posted to this group because there was an old query related to my topic discussed on this group (below). Sorry in case I have caused inconvenience. http://opensuse.14.x6.nabble.com/11-1-What-is-the-relationship-between-nscd-... Best Regards, Krishna On Mon, Aug 19, 2013 at 12:40 PM, Ralf Haferkamp <rhafer@suse.de> wrote:
Hi,
On Thu, Aug 15, 2013 at 07:42:45PM +0530, Krishna Prasad wrote:
Hello,
I am new to this group & subject. I have some query on pam_ldap, nss_ldap I think your question is pretty much off topic here. This list is for discussing the development of the next openSUSE Version. I don't see how your question is connected to that. We don't have openpam in Factory (nor in any of our releases) You'd probably get better answers if you directed your question to the upstream nss_ldap/pam_ldap mailing list (if something like that still exists).
I downloaded the latest openpam-20120526, openldap-2.4.35, pam_ldap-186, nss_ldap-265 (from PADL.com) I want to enable PAM with authentication from remote LDAP server. I am not clear of minimum package requirement, full flow, configurations and whether some deamon is involved.
From README of pam_ldap-186:
Here are some possible deployment scenarios:
o pam_ldap with account information in /etc flat files, kept manually in sync with LDAP
o pam_ldap with account information in LDAP, using nss_ldap
o pam_ldap with account information in NIS, using ypldapd
It looks like PAM is coupled with NSS. For “pam_ldap” to work with LDAP, nss_ldap is needed. No. Though most times both are used together. And I think there are very few use cases where it make sense to use pam_ldap without nss_ldap.
On Ubuntu synaptic also, I found that both pam_ldap, nss_ldap packages have to be installed or removed together. I browsed the source code of pam_ldap and it was directly using openldap APIs. Did not find pam_ldap directly using nss_ldap APIs. I want PAM LDAP functionality, without NSS, unless nss_ldap is mandated by pam_ldap.
Is pam_ldap using nss_ldap at runtime? No.
Is some deamon like nslcd or nscd created by nss_ldap to serve NSS LDAP requests? Is the deamon needed? Can the PAM LDAP functionality work without nss_ldap or deamon nslcd? Also which package or deamon reads nsswitch.conf? Opennss? How is the flow from pam_ldap to nss_ldap? Is the below flow correct? openpam -> pam.d -> pam_ldap -> nss_ldap -> nslcd -> nsswitch.conf -> openldap -> ldap.conf Can we remove nss_ldap or kill nslcd and make pam_ldap work with openldap? You're mixing quite a few things up here and getting these things sorted out on this mailing list is not going to work. Simply because it's offtopic here. I'd suggest you to read the existing nss and pam_ldap docuementation to get a better understanding and then ask you remaining questions on mailings list where they are better suited (e.g. PADL mailing lists, the nscld mailing list and the openldap-technical mailing list).
regards, Ralf
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Krishna Prasad -
Ralf Haferkamp