1

On my servers I have my system users provisioned with Chef and have no desire to expose any additional users to these machines. I would however like to utilize pam for the authentication backend for my monit dashboard.

Do I need to set up libnss-ldapd to make pam_ldap work? Or am I thinking about this the wrong way. Would it really matter if I set up nss if /etc/pam.d/common-* don't use pam_ldap?

Steve Buzonas
  • 149
  • 11

1 Answers1

1

It depends on what flavor of pam_ldap we're talking about. You didn't mention an OS, but from the libnss-ldapd I can gather that we're talking about some flavor of Debian.

libpam-ldap and libpam-ldapd are two separate beasts and both implement pam_ldap.so. The ldapd flavor has a dependency on nslcd (not libnss-ldapd), which can be used without enabling the NSS component. I don't recall if nslcd has a hard dependency for libnss-ldapd, but even so it will only get referenced if you add "ldap" to /etc/nsswitch.conf. You needn't worry about it somehow doing something with NSS behind your back.

At this point you're probably wondering what the difference is (and why people would bother with the added dependency), so here's a freebie:

  • PADL's pam_ldap module (libpam-ldap) isn't actively developed. Nothing new and interesting will ever happen with it.
  • Lack of daemon comes with a price: there is no way for library to share connections or state. Every invocation of the library must spin up its own unique LDAP connection and tear it back down. The primary strength of libpam-ldapd (and sssd for that matter) are that the backend daemon can handle the actual LDAP connection and keep a running state regarding its reachability.
  • libpam-ldapd has at least one situational feature that is not present in either sssd or the other PAM module.

The inclusion of a daemon is more of a sticking point when you are using the NSS module, because every single program having to independently time out on reaching the LDAP server is less than ideal and why I envy every younger Linux admin who has never had to learn that the hard way.

So there you go: you can avoid NSS integration, and you can avoid the nslcd daemon depending on the module you choose. The implementation strategy is up to you.

Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • When you say "It will only get referenced", which are you you referring to? `libpam-ldapd`? Also, you say "The latter" and then say "not `libnss-ldapd`", do you then mean the former? – Steve Buzonas Feb 06 '15 at 02:43
  • I've edited the answer for clarity. – Andrew B Feb 06 '15 at 02:46
  • Thanks, very concise otherwise. Covered my follow up questions generated by the answer. – Steve Buzonas Feb 06 '15 at 02:49
  • It's a confusing mess: there are multiple implementations that have all claimed the name of `pam_ldap` and `pam_krb5` over the years. It's worth the time to save others the pain of researching it. :( – Andrew B Feb 06 '15 at 02:54
  • I've used `pam_ldap` years ago, that was when I thought pam was just a fancy way to configure user authentication backends. I followed a howto and that was the end of it. As my development role is broadening to cover more sysadmin tasks I'm learning pam can be used for a great deal more, and I want to try to use it more often. – Steve Buzonas Feb 06 '15 at 03:08