Héctor González - 09.11.18, 00:02:
> >> Quoting wirelessd...@gmail.com (wirelessd...@gmail.com):
> > [snip]
> > 
> >>> So my next question is, whats the recommended package to
> >>> authenticate
> >>> with LDAP and allow users to login to a desktop via their LDAP
> >>> account?  I've seen various options for PAM and NSS, but do I need
> >>> to
> >>> configure both or just one?
> > 
> > [snip]
> 
> You can use libpam-ldap for this, it handles the authentication part.
[…]
> There is also nslcd, which I remember using with samba-ad, as nscd
> didn´t like that ldap for some reason, and it has a different config
> file /etc/nslcd.conf
> 
> I´d use nscd first, and if you run into trouble try nslcd.

I suggest using nslcd with libpam-ldapd and libnss-ldapd. It has several 
advantages¹.

Of course, if Kerberos is used, I'd use libpam-krb5, libpam-heimdal or  
libpam-shishi instead of libnss-ldapd. As nslcd recommends libpam-krb5, 
it might work together with it.

Or use sssd, in case it can be installed without pulling libsystemd0 / 
systemd. But for that you'd need to create configuration file by hand. 
It is not very difficult, but it would configure with debconf questions 
like nslcd does.

It may be an option to use 389 directory server instead of OpenLDAP. 
SUSE just made that move with SLES 15. And it has a GUI. I did not yet 
test it more thoroughly, so I have nothing more to say about it.

Of course Samba as AD DC (ideally together with Heimdal instead of MIT 
Kerberos) is also an option.

From what I saw with preparing training slides for all of these: I'd 
like something simpler, still secure for all of that. Kerberos and LDAP 
are hefty regarding their complexity.

[1] https://arthurdejong.org/nss-pam-ldapd/

Ciao,
-- 
Martin


_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Reply via email to