Bug 103568 - PAM and NSS shouldn't use the same config file
PAM and NSS shouldn't use the same config file
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nss_ldap (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Jay Turner
: FutureFeature
: 103569 (view as bug list)
Depends On: 553857
  Show dependency treegraph
Reported: 2003-09-02 10:49 EDT by Trond H. Amundsen
Modified: 2015-01-07 19:06 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-02-12 14:33:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Trond H. Amundsen 2003-09-02 10:49:34 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624

Description of problem:
Why split ldap.conf into pam-ldap.conf and nss-ldap.conf:

When using pam_ldap for authentications, most servers are configured
to accept only TLS/SSL connections when doing a none-anon bind. This
is, of course, because sending cleartext passwords is bad idea.
Usually the LDAP-server is configured to reject bind-attempts, and so
it should. Therefore you'll set "ssl start_tls" or use "uri
ldaps://" or something. 

The problem with the 'nss_ldap' package on RedHat is that it contains
both pam_ldap and nss_ldap, and just one config-file. When replacing
eg. NIS with LDAP, you need nss_ldap for other nameservice
information. This work just fine, but these searches are also
encrypted. Encrypting every connection to the LDAP-server is overkill
to say the least. It generates both extra waiting, and load on the

/etc/ldap.conf is also a default config file for other LDAP-based
software. It is read by libldap(OpenLDAP) to determine stuff like extra
certificates and such. If you tweak ldap.conf with, say "base
cn=NIS,dc=redhat,dc=com" because you only want to search through relevant
information when using {pam|nss}_ldap, other programs could fail.

Setting a special base for {pam|nss}_ldap is optional, but often
reduces the load on the server (depends on what other info is stored on the
server). Optimally you want to use 
"pam_ldap_base cn=users,cn=NIS,dc=redhat,dc=com" and 
"nss_ldap_base cn=NIS,dc=redhat,dc=com".

The main problem is either full encryption or no encryption at all.

Version-Release number of selected component (if applicable):
Comment 1 Miloslav Trmac 2004-02-03 12:17:19 EST
*** Bug 103569 has been marked as a duplicate of this bug. ***
Comment 2 Bill Nottingham 2006-08-05 00:03:31 EDT
Red Hat apologizes that these issues have not been resolved yet. We do want to
make sure that no important bugs slip through the cracks.

Red Hat Linux 7.3 and Red Hat Linux 9 are no longer supported by Red Hat, Inc.
They are maintained by the Fedora Legacy project (http://www.fedoralegacy.org/)
for security updates only. If this is a security issue, please reassign to the
'Fedora Legacy' product in bugzilla. Please note that Legacy security update
support for these products will stop on December 31st, 2006.

If this is not a security issue, please check if this issue is still present
in a current Fedora Core release. If so, please change the product and version
to match, and check the box indicating that the requested information has been

If you are currently still running Red Hat Linux 7.3 or 9, please note that
Fedora Legacy security update support for these products will stop on December
31st, 2006. You are strongly advised to upgrade to a current Fedora Core release
or Red Hat Enterprise Linux or comparable. Some information on which option may
be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/.

Any bug still open against Red Hat Linux 7.3 or 9 at the end of 2006 will be
closed 'CANTFIX'. Again, if this bug still exists in a current release, or is a
security issue, please change the product as necessary. We thank you for your
help, and apologize again that we haven't handled these issues to this point.
Comment 3 Trond H. Amundsen 2006-08-29 08:18:30 EDT
I've updated this bug to Red Hat Enterprise Linux 4, since it persists in
the latest nss_ldap release.

A work-around exists: One can specify 'config=/path/to/ldap.conf' for
pam_ldap.so, but I still think that this is a clumsy and unnecessary
approach. Clients that need LDAP for both authentication and authorisation
need a split configuration. Other distributions, e.g. Debian, use different
configuration files for PAM and NSS. I think RHEL should too.
Comment 4 Nalin Dahyabhai 2010-02-12 14:33:48 EST
We're not going to change this in an update -- it'll have to be done on the development stream so that it takes effect during a major version upgrade.  Marking #553857 as a blocker for this, as it falls out of splitting the two into separate packages, which is what we're doing there.  Marking as deferred to that future release.

Note You need to log in before you can comment on or make changes to this bug.