Otdfbt

Mathematically, why does mass matrix / load vector lumping work?

What is the highest possible permanent AC at character creation?

Is it a problem if <h4>, <h5> and <h6> are smaller than regular text?

Does the spell Clone require any material components to cast on a Zealot barbarian?

A curious prime counting approximation or just data overfitting?

Pre-1972 sci-fi short story or novel: alien(?) tunnel where people try new moves and get destroyed if they're not the correct ones

Should an arbiter claim draw at a K+R vs K+R endgame?

Overlapping String-Blocks

Recommended tools for graphs and charts

Arriving at the same result with the opposite hypotheses

How to draw this diagram with tikzcd or other packages

Share calendar details request from manager's manager

What can I, as a user, do about offensive reviews in App Store?

Motivation - or how can I get myself to do the work I know I need to?

Why would future John risk sending back a T-800 to save his younger self?

Project Euler #7 10001st prime in C++

Should I avoid hard-packed crusher dust trails with my hybrid?

How can electric fields be used to detect cracks in metals?

Do simulator games use a realistic trajectory to get into orbit?

Is it legal for a bar bouncer to conficaste a fake ID

Using "subway" as name for London Underground?

How is water heavier than petrol, even though its molecular weight is less than petrol?

Cycle through MeshStyle directives in ListLinePlot

Medieval flying castle propulsion

PAM LDAP configuration for non-local user authentication

LDAP/NFS/PAM/AutoFS : mkhomedir PAM plugin faillingFreeBSD LDAP authentication, pam_ldap, can't bindMapping User and Group Ownership through LDAPLDAP authentication failsPAM - Ignore local user, if LDAP-connection worksSSSD for LDAP user authentication only (just bind) on Ubuntu, local databases for uid and groupsPAM with LDAP and add an exception for local userLDAP user authentication access deniedCentOS 7 SSH and 2FA (ESET Secure Authentication)CentOS 7 LDAP Authentication: “Permission denied”

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

I have a requirement to allow non-local user accounts to be logged in via LDAP authentication.
Meaning, the user that is trying to login is allowed access, if the user account exists in LDAP server database, there is no need to have local user.

I'm able to achieve this if I run NSLCD(/usr/sbin/nslcd).

Would like to know if we can do this with any configuration in /etc/pam.d/sshd or /etc/pam_ldap.conf without the use of running NSLCD.

Please let me know your suggestions

Thanks,
Sravani

linux ldap authentication pam

share|improve this question

asked Jul 8 '13 at 7:53

SravaniSravani

13

add a comment | 

0

I have a requirement to allow non-local user accounts to be logged in via LDAP authentication.
Meaning, the user that is trying to login is allowed access, if the user account exists in LDAP server database, there is no need to have local user.

I'm able to achieve this if I run NSLCD(/usr/sbin/nslcd).

Would like to know if we can do this with any configuration in /etc/pam.d/sshd or /etc/pam_ldap.conf without the use of running NSLCD.

Please let me know your suggestions

Thanks,
Sravani

linux ldap authentication pam

share|improve this question

asked Jul 8 '13 at 7:53

SravaniSravani

13

add a comment | 

I have a requirement to allow non-local user accounts to be logged in via LDAP authentication.
Meaning, the user that is trying to login is allowed access, if the user account exists in LDAP server database, there is no need to have local user.

I'm able to achieve this if I run NSLCD(/usr/sbin/nslcd).

Would like to know if we can do this with any configuration in /etc/pam.d/sshd or /etc/pam_ldap.conf without the use of running NSLCD.

Please let me know your suggestions

Thanks,
Sravani

linux ldap authentication pam

share|improve this question

asked Jul 8 '13 at 7:53

SravaniSravani

13

share|improve this question

asked Jul 8 '13 at 7:53

SravaniSravani

13

share|improve this question

asked Jul 8 '13 at 7:53

SravaniSravani

13

asked Jul 8 '13 at 7:53

SravaniSravani

13

asked Jul 8 '13 at 7:53

SravaniSravani

13

2 Answers
2

active

oldest

votes

0

No, it's not possible to do this with only PAM.

PAM is a library for authentication, authorization, and related accounting tasks. It's not a low level library; if a program does not include explicit calls to PAM, it sits around doing nothing.

Lookups of uid and gid are routed through a system called NSS (Name Service Switch). This is configured via /etc/nsswitch.conf. If you are not providing a library for NSS to talk to LDAP, the low level C libraries can't perform lookups against it.

It is possible to use a different NSS library for LDAP that doesn't rely on nslcd (this is how the old LDAP library supplied by PADL operated), but it's almost certainly a bad idea. Without a daemon running in the background, every call to NSS must open up a new connection to the LDAP server and immediately release it. This is extremely wasteful and makes it impossible for the libraries to track the state of the remote server, i.e. every NSS lookup must individually time out during a network outage.

share|improve this answer

answered Jul 9 '13 at 3:11

Andrew BAndrew B

26k875118

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for the info Andrew. All the cases of LDAP authentication works fine if there is local account with the same name, without the need of running NSLCD daemon. For the case of non-local user account, I had to run NSLCD, hence wanted to check if there is some configuration that can take care of this. As per your info, looks like its mandatory to run NSLCD, for this case. Am I right ?
  
  – Sravani
  Jul 9 '13 at 5:47
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Sravani Correct. The main thing to take away is that PAM will let you perform authentication tasks, but to support a user that isn't local to the system, you need more than just PAM. (i.e. NSS)
  
  – Andrew B
  Jul 9 '13 at 14:33
  

  
  
  
  

add a comment | 

-1

If you're using redhat or a derived distro just use the authconfig util.

Not sure if that is available under Debian/deb derived distros (I suspect not).

If you want more info you'll probably have to specify what distro you are using.

share|improve this answer

answered Jul 8 '13 at 10:56

Jason TanJason Tan

2,48221421

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm using MCP Linux, where I don't have the authconfig util.
  
  – Sravani
  Jul 8 '13 at 11:24
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f521529%2fpam-ldap-configuration-for-non-local-user-authentication%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

No, it's not possible to do this with only PAM.

PAM is a library for authentication, authorization, and related accounting tasks. It's not a low level library; if a program does not include explicit calls to PAM, it sits around doing nothing.

Lookups of uid and gid are routed through a system called NSS (Name Service Switch). This is configured via /etc/nsswitch.conf. If you are not providing a library for NSS to talk to LDAP, the low level C libraries can't perform lookups against it.

It is possible to use a different NSS library for LDAP that doesn't rely on nslcd (this is how the old LDAP library supplied by PADL operated), but it's almost certainly a bad idea. Without a daemon running in the background, every call to NSS must open up a new connection to the LDAP server and immediately release it. This is extremely wasteful and makes it impossible for the libraries to track the state of the remote server, i.e. every NSS lookup must individually time out during a network outage.

share|improve this answer

answered Jul 9 '13 at 3:11

Andrew BAndrew B

26k875118

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for the info Andrew. All the cases of LDAP authentication works fine if there is local account with the same name, without the need of running NSLCD daemon. For the case of non-local user account, I had to run NSLCD, hence wanted to check if there is some configuration that can take care of this. As per your info, looks like its mandatory to run NSLCD, for this case. Am I right ?
  
  – Sravani
  Jul 9 '13 at 5:47
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Sravani Correct. The main thing to take away is that PAM will let you perform authentication tasks, but to support a user that isn't local to the system, you need more than just PAM. (i.e. NSS)
  
  – Andrew B
  Jul 9 '13 at 14:33
  

  
  
  
  

add a comment | 

0

No, it's not possible to do this with only PAM.

PAM is a library for authentication, authorization, and related accounting tasks. It's not a low level library; if a program does not include explicit calls to PAM, it sits around doing nothing.

Lookups of uid and gid are routed through a system called NSS (Name Service Switch). This is configured via /etc/nsswitch.conf. If you are not providing a library for NSS to talk to LDAP, the low level C libraries can't perform lookups against it.

It is possible to use a different NSS library for LDAP that doesn't rely on nslcd (this is how the old LDAP library supplied by PADL operated), but it's almost certainly a bad idea. Without a daemon running in the background, every call to NSS must open up a new connection to the LDAP server and immediately release it. This is extremely wasteful and makes it impossible for the libraries to track the state of the remote server, i.e. every NSS lookup must individually time out during a network outage.

share|improve this answer

answered Jul 9 '13 at 3:11

Andrew BAndrew B

26k875118

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for the info Andrew. All the cases of LDAP authentication works fine if there is local account with the same name, without the need of running NSLCD daemon. For the case of non-local user account, I had to run NSLCD, hence wanted to check if there is some configuration that can take care of this. As per your info, looks like its mandatory to run NSLCD, for this case. Am I right ?
  
  – Sravani
  Jul 9 '13 at 5:47
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Sravani Correct. The main thing to take away is that PAM will let you perform authentication tasks, but to support a user that isn't local to the system, you need more than just PAM. (i.e. NSS)
  
  – Andrew B
  Jul 9 '13 at 14:33
  

  
  
  
  

add a comment | 

No, it's not possible to do this with only PAM.

PAM is a library for authentication, authorization, and related accounting tasks. It's not a low level library; if a program does not include explicit calls to PAM, it sits around doing nothing.

Lookups of uid and gid are routed through a system called NSS (Name Service Switch). This is configured via /etc/nsswitch.conf. If you are not providing a library for NSS to talk to LDAP, the low level C libraries can't perform lookups against it.

It is possible to use a different NSS library for LDAP that doesn't rely on nslcd (this is how the old LDAP library supplied by PADL operated), but it's almost certainly a bad idea. Without a daemon running in the background, every call to NSS must open up a new connection to the LDAP server and immediately release it. This is extremely wasteful and makes it impossible for the libraries to track the state of the remote server, i.e. every NSS lookup must individually time out during a network outage.

share|improve this answer

answered Jul 9 '13 at 3:11

Andrew BAndrew B

26k875118

share|improve this answer

answered Jul 9 '13 at 3:11

Andrew BAndrew B

26k875118

answered Jul 9 '13 at 3:11

Andrew BAndrew B

26k875118

answered Jul 9 '13 at 3:11

Andrew BAndrew B

26k875118

-1

If you're using redhat or a derived distro just use the authconfig util.

Not sure if that is available under Debian/deb derived distros (I suspect not).

If you want more info you'll probably have to specify what distro you are using.

share|improve this answer

answered Jul 8 '13 at 10:56

Jason TanJason Tan

2,48221421

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm using MCP Linux, where I don't have the authconfig util.
  
  – Sravani
  Jul 8 '13 at 11:24
  

  
  
  
  

add a comment | 

-1

If you're using redhat or a derived distro just use the authconfig util.

Not sure if that is available under Debian/deb derived distros (I suspect not).

If you want more info you'll probably have to specify what distro you are using.

share|improve this answer

answered Jul 8 '13 at 10:56

Jason TanJason Tan

2,48221421

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm using MCP Linux, where I don't have the authconfig util.
  
  – Sravani
  Jul 8 '13 at 11:24
  

  
  
  
  

add a comment | 

If you're using redhat or a derived distro just use the authconfig util.

Not sure if that is available under Debian/deb derived distros (I suspect not).

If you want more info you'll probably have to specify what distro you are using.

share|improve this answer

answered Jul 8 '13 at 10:56

Jason TanJason Tan

2,48221421

share|improve this answer

answered Jul 8 '13 at 10:56

Jason TanJason Tan

2,48221421

answered Jul 8 '13 at 10:56

Jason TanJason Tan

2,48221421

answered Jul 8 '13 at 10:56

Jason TanJason Tan

2,48221421