Bug 103569

Summary: PAM and NSS shouldn't use the same config file
Product: [Retired] Red Hat Linux Reporter: Trond H. Amundsen <t.h.amundsen>
Component: nss_ldapAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED DUPLICATE QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: pere, srevivo
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-21 18:58:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Trond H. Amundsen 2003-09-02 14:57:56 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624

Description of problem:
Why split ldap.conf into pam-ldap.conf and nss-ldap.conf:

When using pam_ldap for authentications, most servers are configured
to accept only TLS/SSL connections when doing a none-anon bind. This
is, of course, because sending cleartext passwords is bad idea.
Usually the LDAP-server is configured to reject bind-attempts, and so
it should. Therefore you'll set "ssl start_tls" or use "uri
ldaps://127.0.0.1/" or something. 

The problem with the 'nss_ldap' package on RedHat is that it contains
both pam_ldap and nss_ldap, and just one config-file. When replacing
eg. NIS with LDAP, you need nss_ldap for other nameservice
information. This work just fine, but these searches are also
encrypted. Encrypting every connection to the LDAP-server is overkill
to say the least. It generates both extra waiting, and load on the
server. 

/etc/ldap.conf is also a default config file for other LDAP-based
software. It is read by libldap(OpenLDAP) to determine stuff like extra
certificates and such. If you tweak ldap.conf with, say "base
cn=NIS,dc=redhat,dc=com" because you only want to search through relevant
information when using {pam|nss}_ldap, other programs could fail.

Setting a special base for {pam|nss}_ldap is optional, but often
reduces the load on the server (depends on what other info is stored on the
server). Optimally you want to use 
"pam_ldap_base cn=users,cn=NIS,dc=redhat,dc=com" and 
"nss_ldap_base cn=NIS,dc=redhat,dc=com".

The main problem is either full encryption or no encryption at all.

Version-Release number of selected component (if applicable):
nss_ldap-202-5

Comment 1 Chan Min Wai 2004-02-03 08:01:02 UTC
dcmwai|triage->duplicate 103568

Comment 2 Miloslav Trmac 2004-02-03 17:17:16 UTC

*** This bug has been marked as a duplicate of 103568 ***

Comment 3 Red Hat Bugzilla 2006-02-21 18:58:23 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.