Re: Ldap NSS PAM Samba
On Friday 11 July 2008 02:03:04 Tim Judd wrote: I can't quote easily what the difference between NSS and PAM is PAM is a module that abstracts authentication, it does not authenticate itself, yet asks providers if the information passed to it is correct and then relays this to the application or tries a different method if this is allowed. NSS is an abstraction of cryptographic protocols, applied to a network. In this schema, it is a transport provider: --- Application ---- Network - / \ / \ +---+ +-+ +-+ +---+ + User/password | --- | PAM | --- | NSS | --- | LDAP database + +---+ +-+ +-+ +---+ \/ \__Authentication__/ -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ldap NSS PAM Samba
On Thu, 10 Jul 2008 18:03:04 -0600 Tim Judd [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: I am trying to setup a FreeBSD server with samba that uses OpenLdap. I have installed everything and was doing some configuring. I set this all up once before on a Linux box, but I basically just went through the motions and really was not sure what all I did...but it worked. Now I want to understand everything so that I know exactly what all I did. :) I have the following: I installed OpenLdap which put ldap.conf in /usr/local/etc/openldap. I installed PAM which put ldap.conf.dist in /usr/local/etc. I installed NSS which put nss_ldap.conf in /usr/local/etc. From looking at them I assume that the last two are the same file and one of them just needs to be renamed to ldap.conf and configured for PAM and NSS, is that correct? The ldap.conf in /usr/local/etc/openldap is a different config file even though it has the same name? It is used for openldap and the other is used for PAM and NSS? Thanks for any info. openldap/ldap.conf is the OpenLDAP client configuration. You're likely looking for the LDAP server configuration, openldap/slapd.conf etc/ldap.conf is for PAM, and etc/nss_ldap.conf are not to be merged. I've played ***VERY*** briefly with LDAP authentication through PAM and NSS, and both were required. I can't quote easily what the difference between NSS and PAM is, but all the docs I referenced from Google when I searched said I needed both. It's theoretically possible to use only one file for all three, but you really need to know what you're doing. (with symlinks) OpenLDAP tools, pam_ldap and nss_ldap have more or less the same configuration options. But there are a few quite subtle differences between them, the easiest thing is to just configure them separately while having a look at the appropriate man page. Additionally, they don't start to bark at you, when you configure a parameter that does not exist (in pam_ldap or nss_ldpa only etc.). It wouldn't be easy to find out that the syntax of one of the three was changed, etc. Jan-Hendrik Zab ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ldap NSS PAM Samba
I am trying to setup a FreeBSD server with samba that uses OpenLdap. I have installed everything and was doing some configuring. I set this all up once before on a Linux box, but I basically just went through the motions and really was not sure what all I did...but it worked. Now I want to understand everything so that I know exactly what all I did. :) I have the following: I installed OpenLdap which put ldap.conf in /usr/local/etc/openldap. I installed PAM which put ldap.conf.dist in /usr/local/etc. I installed NSS which put nss_ldap.conf in /usr/local/etc. From looking at them I assume that the last two are the same file and one of them just needs to be renamed to ldap.conf and configured for PAM and NSS, is that correct? The ldap.conf in /usr/local/etc/openldap is a different config file even though it has the same name? It is used for openldap and the other is used for PAM and NSS? Thanks for any info. openldap/ldap.conf is the OpenLDAP client configuration. You're likely looking for the LDAP server configuration, openldap/slapd.conf True. etc/ldap.conf is for PAM, and etc/nss_ldap.conf are not to be merged. False. You can symlink nss_ldap.conf to ldap.conf. Keep them seperate if you like to edit configuration files that contain the exact same data. This way you can make mistakes. (Just kidding :) Both nss_ldap and pam_ldap use the same configuration when they both need to query the same LDAP server. If, for a reason, your company uses different LDAP servers for PAM and NSS (say you just purchased another company or something), then you need to keep etc/nss_ldap.conf and etc/ldap.conf(5) files seperate. Otherwise, IMHO you should try and use a single LDAP server for all your data. Using several LDAP repository is the path to the dark side... (and to a lot of problems!) If you do have more then one LDAP server (say an OpenLDAP, an Oracle Internet Directory and a Microsoft Active Directory for instance), then setup referals between them. Or better yet, dump an LDIF file of one and import it to another and drop one of the LDAP server altogether (or just use it as a referal point for it's data if you can't rip it out of your network). It's not an easy task, but it sure is possible. I've played ***VERY*** briefly with LDAP authentication through PAM and NSS, and both were required. I can't quote easily what the difference between NSS and PAM is, but all the docs I referenced from Google when I searched said I needed both. NSS stands for Name Service Switch. Normally it's achieved via /etc/nsswitch.conf file. Basically it's telling applications where to look for data (i.e. local files, NIS, NIS+, LDAP, DNS) for the various data sources (i.e. groups, users, hosts, etc). See nsswitch.conf(5) and getent(1) and http://www.padl.com/OSS/nss_ldap.html for details. PAM stands for Pluggable Authentication Modules. It's an easy way to plug various authentication methods into an existing infrastructure. It basically allows you to use the local files, a Kerberos realm, an LDAP directory and such to decides who can login to your machines without having to rewrite the entire authentication mechanisms. See pam.conf(5) and pam(3) plus http://www.padl.com/OSS/pam_ldap.html for details. Why do you need both NSS and PAM? Well, suppose you decide that you want to use a Kerberos realm to authenticate and that the Kerberos principals (or users if you prefer) are stored in an LDAP directory. Now suppose an SSH connection comes in from user bob. Your machine will check the PAM configuration as to which PAM modules it should check for authentication. It will use NSS to know where to check in order to find out who is this bob user (will it be in the local passwd file or in the LDAP directory?) Once it finds where bob is stored (if he exists) then it will compare the passwd string (or the Kerberos ticket if our example) and use PAM to locate which module it has to compare the ticket or password against. HTH, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 If you receive something that says Send this to everyone you know, then please pretend you don't know me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Ldap NSS PAM Samba
I am trying to setup a FreeBSD server with samba that uses OpenLdap. I have installed everything and was doing some configuring. I set this all up once before on a Linux box, but I basically just went through the motions and really was not sure what all I did...but it worked. Now I want to understand everything so that I know exactly what all I did. :) I have the following: I installed OpenLdap which put ldap.conf in /usr/local/etc/openldap. I installed PAM which put ldap.conf.dist in /usr/local/etc. I installed NSS which put nss_ldap.conf in /usr/local/etc. From looking at them I assume that the last two are the same file and one of them just needs to be renamed to ldap.conf and configured for PAM and NSS, is that correct? The ldap.conf in /usr/local/etc/openldap is a different config file even though it has the same name? It is used for openldap and the other is used for PAM and NSS? Thanks for any info. -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ldap NSS PAM Samba
[EMAIL PROTECTED] wrote: I am trying to setup a FreeBSD server with samba that uses OpenLdap. I have installed everything and was doing some configuring. I set this all up once before on a Linux box, but I basically just went through the motions and really was not sure what all I did...but it worked. Now I want to understand everything so that I know exactly what all I did. :) I have the following: I installed OpenLdap which put ldap.conf in /usr/local/etc/openldap. I installed PAM which put ldap.conf.dist in /usr/local/etc. I installed NSS which put nss_ldap.conf in /usr/local/etc. From looking at them I assume that the last two are the same file and one of them just needs to be renamed to ldap.conf and configured for PAM and NSS, is that correct? The ldap.conf in /usr/local/etc/openldap is a different config file even though it has the same name? It is used for openldap and the other is used for PAM and NSS? Thanks for any info. openldap/ldap.conf is the OpenLDAP client configuration. You're likely looking for the LDAP server configuration, openldap/slapd.conf etc/ldap.conf is for PAM, and etc/nss_ldap.conf are not to be merged. I've played ***VERY*** briefly with LDAP authentication through PAM and NSS, and both were required. I can't quote easily what the difference between NSS and PAM is, but all the docs I referenced from Google when I searched said I needed both. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
