[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: CAN LOGIN WORK WITHOUT PAM



I've been testing LDAP in an environment of SGI clients which don't
have PAM.

Technically speaking, yes a client can login without PAM, but LDAP
must be supported via other means.

Specific to the SGI's; you simply add "ldap" to the appropriate lines
in /etc/nsswitch.conf and update /var/ns/ldap.conf to talk to your
LDAP server.

At this point your are then left with issues like:

1. How do I support shadow passwords
2. How do my users change their passwords
3. How do I handle password aging.

If anyone has addressed these on SGI's I'd be very interested in hearing
the solution.

But, in answer to the original question, no, PAM isn't essential for
authenticating against LDAP, but it's the best documented.

-Steve

-----Original Message-----
From: Tony Earnshaw [mailto:tonni@billy.demon.nl]
Sent: Tuesday, April 22, 2003 7:56 AM
To: openldap-software@OpenLDAP.org
Subject: Re: CAN LOGIN WORK WITHOUT PAM


tir, 22.04.2003 kl. 13.05 skrev Nitin k.:

> My question is what's the difference in getent and login as far as 
> LDAP is concerned, if any AND Is PAM support imperative for the 
> Login prog. to work with LDAP ?

You need PAM for login if the user is an LDAP-based user, not if the
user is an /etc/passwd and shadow user. That's as far as Solaris and
Linux are concerned, at any rate.

As far as getent is concerned, do (Linux) 'strace getent passwd $user
2>&1 | grep open' to see which files are being opened. You won't find
PAM files there.

Best,

Tony

-- 

Tony Earnshaw

Do not come to visit me with both arms the same length.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl