On Wednesday 06 October 2004 20:44, Jed Donnelley wrote:
> As I understand the PAM architecture (as on the diagram above) this should > work to use with apache authentication being forwarded to LDAP. However, I > found that > I needed to include: > > passwd: files ldap > group: files ldap > > in my /etc/nsswitch.conf file to get it to function. This meant I couldn't > use it in my system as it forced all sorts of LDAP users and groups to > be on the system (e.g. for login, file access, etc., etc.) that should not > be on the system.
nopes,
?
you need nss_ldap for that, which comes from the same padl.com people who wrote pam_ldap.
Correct, but of course I have nss_ldap functioning and I need to do so if those calls to getpwnam and getgrnam are going to function for the users and groups that are only visible through LDAP.
The bottom line is the way mod_auth_pam is coded, getpwnam and getrgnam must function for the users/groups that I want to authenticate from apache with mod_auth_pam. For those functions to work for those users/groups the users/groups must appear as if they are in /etc/passwd and /etc/group - e.g. by use of lib_nss and nss_ldap.
--Jed http://www.nersc.gov/~jed/
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
