Date: Mon, 15 Jul 2013 23:47:52 +0100 From: Ben Morrow <ben@morrow.me.uk> To: freebsd-stable@freebsd.org Subject: Re: LDAP authentication confusion Message-ID: <20130715224748.GA45649@anubis.morrow.me.uk> In-Reply-To: <51E46747.7070705@rlwinm.de> References: <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net> <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com> <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net> <1373915752.13754.140661255962197.3CA2BD96@webmail.messagingengine.com> <Pine.GSO.4.64.1307151550030.8901@sea.ntplx.net>
index | next in thread | previous in thread | raw e-mail
Quoth Jan Bramkamp <crest@rlwinm.de>: > On 15.07.2013 21:51, Daniel Eischen wrote: > > > > Wouldn't it be easier just to edit /etc/nsswitch.conf > > anyway? > PAM and NSS switch are two different subsystems. NSS is just for > resource lookups (users, groups, hosts, ...). PAM is for access control. > > With ldap in nsswitch.conf for users and groups you can lookup a LDAP > user but the user can't log into $service through PAM. This requires > pam_ldap.so in pam.d/$service. The default pam_unix.so calls getpwent, so if nss_ldap returns cryptable passwords in its result I think pam_unix can authenticate against those. This is not the same as authenticating by LDAP bind, but may end up accepting the same passwords. Benhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130715224748.GA45649>