In the last days I have set up some Linux system with LDAP authentication and everything works fine, but there's still something I can't really understand regarding NSS and PAM, also after a lot of research.
Citing:
NSS allows administrators to specify a list of sources where authentication files, host names and other information will be stored and searched for
and
PAM is a set of libraries that provide a configurable authentication platform for applications and the underlying operating system
What I don't understand is how PAM and NSS work and interact together. In this book the architecture is explained pretty well: I configure PAM to use pam_ldap for LDAP accounts and pam_unix for local accounts, then I configure nsswitch.conf to fetch information from local files and LDAP.
If I have understood correctly LDAP is used twice: first by pam_ldap and then by NSS which is itself called from pam_unix. Is that right? Is LDAP really used twice? But why do I need to configure both NSS and PAM? My explanation is that PAM performs different tasks than NSS and it is used by other programs. But, then, it should be possible to use only NSS or only PAM, as I have read in this page.
So I experimented a bit and I have first tried to delete LDAP from the nsswitch.conf (and the authentication stopped to work as if only pam_ldap is not enough to do the job). Then I re-enabled LDAP in NSS and I deleted it from the PAM configuration (this time everything worked fine, as if pam_ldap is useless and NSS is enough to authenticate a user).
Is there anyone who can help me to clarify this? Many thanks in advance.
UPDATE
I've just tried something now. I removed again all the pam_ldap entries in all pam configuration fields and I have also removed shadow: ldap from nsswitch.conf. As now in all the system there are only the lines: passwd: ldap files and group: ldap files in nsswitch.conf. Well… the login with LDAP users works perfectly, those two lines (plus /etc/ldap.conf) are enough to configure LDAP auth.
From my knowledge PAM in independent from NSS, but my tests showed it's not. So I ask myself is it possible to completely disable NSS and use only PAM?
Best Answer
It helps to break things down like this in your head:
NSS - A module based system for controlling how various OS-level databases are assembled in memory. This includes (but is not limited to)
passwd,group,shadow(this is important to note), andhosts. UID lookups use thepasswddatabase, and GID lookups use thegroupdatabase.PAM - A module based system for allowing service based authentication and accounting. Unlike NSS, you are not extending existing databases; PAM modules can use whatever logic they like, though shell logins still depend on the
passwdandgroupdatabases of NSS. (you always need UID/GID lookups)The important difference is that PAM does nothing on its own. If an application does not link against the PAM library and make calls to it, PAM will never get used. NSS is core to the operating system, and the databases are fairly ubiquitous to normal operation of the OS.
Now that we have that out of the way, here's the curve ball: while pam_ldap is the popular way to authenticate against LDAP, it's not the only way.
shadowis pointing at the ldap service within/etc/nsswitch.conf, any authentication that runs against the shadow database will succeed if the attributes for those shadow field mappings (particularly the encrypted password field) are present in LDAP and would permit login.pam_unix.socan potentially result in authentication against LDAP, as it authenticates against the shadow database. (which is managed by NSS, and may be pointing at LDAP)pam_sss.so, which hookssssd), it's possible that LDAP will be referenced.