Bug 103569 - PAM and NSS shouldn't use the same config file
Summary: PAM and NSS shouldn't use the same config file
Status: CLOSED DUPLICATE of bug 103568
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: nss_ldap   
(Show other bugs)
Version: 9
Hardware: i386 Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Jay Turner
Keywords: FutureFeature
Depends On:
TreeView+ depends on / blocked
Reported: 2003-09-02 14:57 UTC by Trond H. Amundsen
Modified: 2015-01-08 00:06 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 18:58:23 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Trond H. Amundsen 2003-09-02 14:57:56 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624

Description of problem:
Why split ldap.conf into pam-ldap.conf and nss-ldap.conf:

When using pam_ldap for authentications, most servers are configured
to accept only TLS/SSL connections when doing a none-anon bind. This
is, of course, because sending cleartext passwords is bad idea.
Usually the LDAP-server is configured to reject bind-attempts, and so
it should. Therefore you'll set "ssl start_tls" or use "uri
ldaps://" or something. 

The problem with the 'nss_ldap' package on RedHat is that it contains
both pam_ldap and nss_ldap, and just one config-file. When replacing
eg. NIS with LDAP, you need nss_ldap for other nameservice
information. This work just fine, but these searches are also
encrypted. Encrypting every connection to the LDAP-server is overkill
to say the least. It generates both extra waiting, and load on the

/etc/ldap.conf is also a default config file for other LDAP-based
software. It is read by libldap(OpenLDAP) to determine stuff like extra
certificates and such. If you tweak ldap.conf with, say "base
cn=NIS,dc=redhat,dc=com" because you only want to search through relevant
information when using {pam|nss}_ldap, other programs could fail.

Setting a special base for {pam|nss}_ldap is optional, but often
reduces the load on the server (depends on what other info is stored on the
server). Optimally you want to use 
"pam_ldap_base cn=users,cn=NIS,dc=redhat,dc=com" and 
"nss_ldap_base cn=NIS,dc=redhat,dc=com".

The main problem is either full encryption or no encryption at all.

Version-Release number of selected component (if applicable):

Comment 1 Chan Min Wai 2004-02-03 08:01:02 UTC
dcmwai|triage->duplicate 103568

Comment 2 Miloslav Trmac 2004-02-03 17:17:16 UTC

*** This bug has been marked as a duplicate of 103568 ***

Comment 3 Red Hat Bugzilla 2006-02-21 18:58:23 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.