Ldap – PAM, nsswitch and LDAP configuration

ldapnsswitch.confpam

I have a technical and precise question about two type of configuration about LDAP, pam configuration files and nsswitch.conf.
Wich is the difference between the passwd_compat configuration and the pam_list?
I'm quite confused…thanks in advance.
Filippo

Best Answer

Unless I'm misunderstanding your question you seem to be conflating two different things, which is probably leading to your confusion:

pam_list is an account authorization module - that is it lets you specify ways of determining if a user's account is "valid" on a given machine. Refer to the man page for pam_list for more information. You would use pam_list in a PAM configuration file in order to allow/deny specific users on specific hosts.
pam_list can be used with allow or deny files, and also has a "compat" option which makes it work the same way NIS traditionally does (+ and - lines in /etc/passwd).
You can refer to the man page for pam_list for more information here.

If you are using LDAP (pam_ldap or similar) there are "better" ways of doing the user authorization stuff - typically using LDAP groups or OUs to control access.
See the appropriate documentation for your LDAP PAM module for the specifics.

passwd_compat is a "pseudo-database" that appears in nsswitch.conf. If you're using LDAP you would usually list LDAP as part of the passwd and group databases, and your LDAP-nsswitch interfacing module (nss_ldap or similar) would handle doing the LDAP lookup bits. You could also set passwd_compat to point to nis or ldap as appropriate. Typically this results in something like:

 passwd: compat
 passwd_compat files ldap

The man page for nsswitch.conf is a good source of information about this. You may also find some insight in the O'Reilly book Managing NFS and NIS - about 10 years old (2nd Ed.) but still generally applicable.
I believe O'Reilly also has an LDAP book out but I'm not sure if it discusses anything about nsswitch or PAM...

Related Topic