26

In the last days I have set up some Linux system with LDAP authentication and everything works fine, but there's still something I can't really understand regarding NSS and PAM, also after a lot of research.

Citing:

NSS allows administrators to specify a list of sources where authentication files, host names and other information will be stored and searched for

and

PAM is a set of libraries that provide a configurable authentication platform for applications and the underlying operating system

What I don't understand is how PAM and NSS work and interact together. In this book the architecture is explained pretty well: I configure PAM to use pam_ldap for LDAP accounts and pam_unix for local accounts, then I configure nsswitch.conf to fetch information from local files and LDAP.

If I have understood correctly LDAP is used twice: first by pam_ldap and then by NSS which is itself called from pam_unix. Is that right? Is LDAP really used twice? But why do I need to configure both NSS and PAM? My explanation is that PAM performs different tasks than NSS and it is used by other programs. But, then, it should be possible to use only NSS or only PAM, as I have read in this page.

So I experimented a bit and I have first tried to delete LDAP from the nsswitch.conf (and the authentication stopped to work as if only pam_ldap is not enough to do the job). Then I re-enabled LDAP in NSS and I deleted it from the PAM configuration (this time everything worked fine, as if pam_ldap is useless and NSS is enough to authenticate a user).

Is there anyone who can help me to clarify this? Many thanks in advance.

UPDATE

I've just tried something now. I removed again all the pam_ldap entries in all pam configuration fields and I have also removed shadow: ldap from nsswitch.conf. As now in all the system there are only the lines: passwd: ldap files and group: ldap files in nsswitch.conf. Well... the login with LDAP users works perfectly, those two lines (plus /etc/ldap.conf) are enough to configure LDAP auth.

From my knowledge PAM in independent from NSS, but my tests showed it's not. So I ask myself is it possible to completely disable NSS and use only PAM?

ColOfAbRiX
  • 980
  • 2
  • 11
  • 22
  • I didn't see your update. Please run the following commands and report your findings, replacing LDAPUSER with the user who you think is only configured in LDAP. `getent shadow | grep LDAPUSER` `grep LDAPUSER /etc/shadow` – Andrew B Sep 17 '13 at 14:39

2 Answers2

30

It helps to break things down like this in your head:

  • NSS - A module based system for controlling how various OS-level databases are assembled in memory. This includes (but is not limited to) passwd, group, shadow (this is important to note), and hosts. UID lookups use the passwd database, and GID lookups use the group database.

  • PAM - A module based system for allowing service based authentication and accounting. Unlike NSS, you are not extending existing databases; PAM modules can use whatever logic they like, though shell logins still depend on the passwd and group databases of NSS. (you always need UID/GID lookups)

The important difference is that PAM does nothing on its own. If an application does not link against the PAM library and make calls to it, PAM will never get used. NSS is core to the operating system, and the databases are fairly ubiquitous to normal operation of the OS.

Now that we have that out of the way, here's the curve ball: while pam_ldap is the popular way to authenticate against LDAP, it's not the only way.

  • If shadow is pointing at the ldap service within /etc/nsswitch.conf, any authentication that runs against the shadow database will succeed if the attributes for those shadow field mappings (particularly the encrypted password field) are present in LDAP and would permit login.
    • This in turn means that pam_unix.so can potentially result in authentication against LDAP, as it authenticates against the shadow database. (which is managed by NSS, and may be pointing at LDAP)
  • If a PAM module performs calls against a daemon that in turn queries the LDAP database (say, pam_sss.so, which hooks sssd), it's possible that LDAP will be referenced.
Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • Many thanks, I know that nsswitch.conf + pam_unix can to all the work by themselves. But also PAM should be able to do the same, because it's independent, as you wrote too. My understanding is that the module pam_ldap should be enough to authenticate the user against an ldap server. Isn't it? – ColOfAbRiX Sep 13 '13 at 10:41
  • 6
    Authenticate yes, but unless you have another way to obtain user information (local /etc/passwd or whatever) you still need a way to find out group membership, home directory etc. You are still confusing authentication and authorization/attribute enumeration. – TheFiddlerWins Sep 13 '13 at 12:40
  • 1
    @ColOfAbRiX TheFIddlerWins is correct. It's enough to *authenticate*, but you still need a way to lookup UIDs + GID memberships as I noted. These are obtained from the `passwd` and `group` databases (NSS), which means they must be on the local system (`/etc/passwd`+`/etc/group`), or obtained via the `ldap` NSS module. – Andrew B Sep 13 '13 at 19:44
  • 3
    Here's a way to help you understand: run `getent passwd` and `getent group` with LDAP enabled for both databases in `/etc/nsswitch.conf`. Then disable LDAP in that file, and run both commands again. `getent` is a command for dumping NSS databases. – Andrew B Sep 13 '13 at 19:53
  • At last I was able to understand everything with a bit more of work. Thank you guys! – ColOfAbRiX Oct 04 '13 at 16:55
1

NSS is there to enumerate information about services/users (what group you belong to, where your home directory is etc). PAM determines what to do about that information.

If you want to use LDAP for authentication you need pam_ldap. If you are using something else (local accounts, Kerberos etc) then you may not.

So they do different things. NSS gets information, PAM determines who is allowed to do what once that information is obtained.

TheFiddlerWins
  • 2,973
  • 1
  • 14
  • 22
  • Thanks, but the problem is that it doesn't work in that way, in my system at least :) At the beginnin I understood the same but then I have tried to remove all the pam_ldap entries in PAM and LDAP authentication still worked (and disabled the cache). This increased my confusion :) – ColOfAbRiX Sep 12 '13 at 15:29
  • How are you verifying that you are authenticating via pam_ldap after removing it? Post the contents of your common-auth please. I am not sure about the paths in SUSE but in answer to the first part of your third question, even with pam_ldap working you need some way for the system to know who you are - this is provided by NSS – TheFiddlerWins Sep 12 '13 at 17:21
  • I'am sorry, I mean that after removing pam_ldap, LDAP auth worked without it, I guess it worked through NSS. The file `common-auth` contained only pam_env, pam_unix and pam_deny. – ColOfAbRiX Sep 13 '13 at 08:03
  • That does not make sense, how did you confirm LDAP auth worked? – TheFiddlerWins Sep 13 '13 at 12:37
  • Logging in using an LDAP account and monitoring the ldap servers' log. nscd (caching) is disabled – ColOfAbRiX Sep 13 '13 at 12:41