1

During the last days I've been fiddling around with LDAP authentication and I've managed to configure some Linux systems (CentOS 6 and 7) to perform the SSH authentication process against an OpenLDAP server (which I also installed and configured). However, and even though everything works as I intend, there's still something about the LDAP authentication process that is bugging me.

What I don't quite understand is how PAM and NSS work with each other and how they interact with one another. After researching about the theme, I came to the conclusion that (Reference):

  1. NSS offers a name service mechanism to obtain the user and group name information;
  2. PAM offers a flexible authentication mechanism used by the application software thus involves password data exchange.

But what is the authentication flow? How are the files/services that I configured used (/etc/nsswitch.conf, /etc/nslcd.conf, /etc/nscd.conf/, /etc/pam.d/password-auth) and in what order?

Note: If I remove from "nsswitch.conf" the line correspondent to the shadow database, the authentication process still works without any problem. This means that the file "nsswitch.conf" is never used for obtaining the sources for password lookups?

  • Potential duplicate of [this Q&A](https://serverfault.com/q/538383/152073). Does this one explain it well enough? – Andrew B Aug 02 '17 at 05:48

1 Answers1

1

Depending on the configuration, LDAP does not require a shadow database. There are two common options:

  • Request authenticates access to LDAP. This requires passing the userid and password to LDAP which will accept or reject the authentication. This will use the password directly in LDAP not as looked up from the shadow data.
  • Use an LDAP user with lookup privileges to access the password or password hash and match the password. In some cases, this might use the shadow data or data in the password field of the password file.

NSS provides access to a number of name database such as: passwd, hosts, services and groups. Lookups can be done against a variety of sources including both files and LDAP. It may co-operate with a caching daemon to keep local copies of recently accessed data.

PAM provides authentication based on a number of rules. Depending on the version it may have a separate LDAP module, or its password module will be LDAP aware and able to authenticate against LDAP.

BillThor
  • 27,354
  • 3
  • 35
  • 69