2


I have a technical and precise question about two type of configuration about LDAP, pam configuration files and nsswitch.conf.
Wich is the difference between the passwd_compat configuration and the pam_list?
I'm quite confused...thanks in advance.
Filippo

Possa
  • 185
  • 1
  • 9

1 Answers1

3

Unless I'm misunderstanding your question you seem to be conflating two different things, which is probably leading to your confusion:

pam_list is an account authorization module - that is it lets you specify ways of determining if a user's account is "valid" on a given machine. Refer to the man page for pam_list for more information. You would use pam_list in a PAM configuration file in order to allow/deny specific users on specific hosts.
pam_list can be used with allow or deny files, and also has a "compat" option which makes it work the same way NIS traditionally does (+ and - lines in /etc/passwd).
You can refer to the man page for pam_list for more information here.

If you are using LDAP (pam_ldap or similar) there are "better" ways of doing the user authorization stuff - typically using LDAP groups or OUs to control access.
See the appropriate documentation for your LDAP PAM module for the specifics.

passwd_compat is a "pseudo-database" that appears in nsswitch.conf. If you're using LDAP you would usually list LDAP as part of the passwd and group databases, and your LDAP-nsswitch interfacing module (nss_ldap or similar) would handle doing the LDAP lookup bits. You could also set passwd_compat to point to nis or ldap as appropriate. Typically this results in something like:

 passwd: compat
 passwd_compat files ldap

The man page for nsswitch.conf is a good source of information about this. You may also find some insight in the O'Reilly book Managing NFS and NIS - about 10 years old (2nd Ed.) but still generally applicable.
I believe O'Reilly also has an LDAP book out but I'm not sure if it discusses anything about nsswitch or PAM...

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • Thanks a lot for the info voretaq! I did not know the difference between the two option, so I asked here. The big picture is: I'm trying to work with an LDAP who grants the authorization for some servers and it is now configured with the `passwd_compat` configuration. The customer had some problems and a third party told him to use `pam_list`. So now, I'm trying to understand the difference in order to have a clear image of the situation. Why use one instead of the other? – Possa Jul 14 '11 at 07:42
  • 1
    @Possa both are valid choices. pam_list requires additional infrastructure (the pam_list module, the allowed/denied list) that would need to be maintained on each machine, while using something like the `pam_groupdn` option in pam_ldap would centralize the list of allowed users on the LDAP server. Centralizing makes it easier to change everything everywhere at the same time. – voretaq7 Jul 15 '11 at 14:59