Date: Mon, 15 Jul 2013 23:47:52 +0100 From: Ben Morrow <ben@morrow.me.uk> To: freebsd-stable@freebsd.org Subject: Re: LDAP authentication confusion Message-ID: <20130715224748.GA45649@anubis.morrow.me.uk> In-Reply-To: <51E46747.7070705@rlwinm.de> References: <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net> <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com> <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net> <1373915752.13754.140661255962197.3CA2BD96@webmail.messagingengine.com> <Pine.GSO.4.64.1307151550030.8901@sea.ntplx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoth Jan Bramkamp <crest@rlwinm.de>: > On 15.07.2013 21:51, Daniel Eischen wrote: > > > > Wouldn't it be easier just to edit /etc/nsswitch.conf > > anyway? > PAM and NSS switch are two different subsystems. NSS is just for > resource lookups (users, groups, hosts, ...). PAM is for access control. > > With ldap in nsswitch.conf for users and groups you can lookup a LDAP > user but the user can't log into $service through PAM. This requires > pam_ldap.so in pam.d/$service. The default pam_unix.so calls getpwent, so if nss_ldap returns cryptable passwords in its result I think pam_unix can authenticate against those. This is not the same as authenticating by LDAP bind, but may end up accepting the same passwords. Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130715224748.GA45649>