Bug 103569 - PAM and NSS shouldn't use the same config file
PAM and NSS shouldn't use the same config file
Status: CLOSED DUPLICATE of bug 103568
Product: Red Hat Linux
Classification: Retired
Component: nss_ldap (Show other bugs)
9
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Jay Turner
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-09-02 10:57 EDT by Trond H. Amundsen
Modified: 2015-01-07 19:06 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-21 13:58:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Trond H. Amundsen 2003-09-02 10:57:56 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624

Description of problem:
Why split ldap.conf into pam-ldap.conf and nss-ldap.conf:

When using pam_ldap for authentications, most servers are configured
to accept only TLS/SSL connections when doing a none-anon bind. This
is, of course, because sending cleartext passwords is bad idea.
Usually the LDAP-server is configured to reject bind-attempts, and so
it should. Therefore you'll set "ssl start_tls" or use "uri
ldaps://127.0.0.1/" or something. 

The problem with the 'nss_ldap' package on RedHat is that it contains
both pam_ldap and nss_ldap, and just one config-file. When replacing
eg. NIS with LDAP, you need nss_ldap for other nameservice
information. This work just fine, but these searches are also
encrypted. Encrypting every connection to the LDAP-server is overkill
to say the least. It generates both extra waiting, and load on the
server. 

/etc/ldap.conf is also a default config file for other LDAP-based
software. It is read by libldap(OpenLDAP) to determine stuff like extra
certificates and such. If you tweak ldap.conf with, say "base
cn=NIS,dc=redhat,dc=com" because you only want to search through relevant
information when using {pam|nss}_ldap, other programs could fail.

Setting a special base for {pam|nss}_ldap is optional, but often
reduces the load on the server (depends on what other info is stored on the
server). Optimally you want to use 
"pam_ldap_base cn=users,cn=NIS,dc=redhat,dc=com" and 
"nss_ldap_base cn=NIS,dc=redhat,dc=com".

The main problem is either full encryption or no encryption at all.

Version-Release number of selected component (if applicable):
nss_ldap-202-5
Comment 1 Chan Min Wai 2004-02-03 03:01:02 EST
dcmwai|triage->duplicate 103568
Comment 2 Miloslav Trmac 2004-02-03 12:17:16 EST

*** This bug has been marked as a duplicate of 103568 ***
Comment 3 Red Hat Bugzilla 2006-02-21 13:58:23 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.