On Sat, 2008-07-05 at 22:32 +0200, Petter Reinholdtsen wrote: > > My preference would be to abondon libpam-ldap, as I have libnss-ldap > > in favour of modifying libnss-ldapd to support the password changing > > feature - I've spoken with the OpenLDAP upstream who have actually > > included libnss-ldapd into newer versions of OpenLDAP! and they > > appeared interested, but I've not yet spoken with the libnss-ldapd > > maintainer (who is also upstream). > > In Debian Edu, we use libpam-ldap to check passwords and to allow them > to be changed. Is there a replacement for checking passwords using > LDAP? If not, we will be using pam-ldap also in the future, or at > least until we succeed in replacing it with Kerberos. :)
Is there any documentation on changing passwords through the NSS interface (or something similar enough)? (or do I misunderstand?) I personally like it very much that something like pam_ldap exists. The implementation may have it's flaws but I feel PAM is the right interface to do these kind of things. I know that you can expose password hashes through NSS to do authentication with pam_unix (haven't tried this in a long time though) but I think it is very ugly and doesn't support the other things PAM offers (changing password, shell and gecos, etc). Perhaps once nss-ldapd settles down a bit more I'll have some time to tackle pam_ldap (maybe integrate a PAM module into the current code). But don't hold your breath for that just yet. The reason that I thought the PAM module was less of a problem than the NSS module was: - the PAM module should have the opportunity to clean up after itself - the PAM module doesn't have to be as careful about it's environment (the nss_ldap NSS module has to do checking of file descriptors, handling of fork(), etc, etc) - I had less problems with the PAM module (less bugs found) (you could probably even do without a separate daemon by doing a fork(), messing in that address space and pass the results back and forth) Also note that the NSS module is very different from the PAM module: - PAM is more of a one-shot thing (connect, maybe search, bind, maybe get some attributes, perhaps change something, unbind, done) - NSS is more time-critical (we have to worry about not creating a new connection for each request, reuse connections, etc) as such the current LDAP-related code in nss-ldapd is not very fit for the PAM case (all operations are read-only and assume the same kind of connection). If you're interested in developing a pam_ldap replacement using nss-ldapd code I can help you get started though. The people from OpenLDAP (specifically Howard Chu [1]) have imported nss-ldapd to be able to use a slapd instance to do what nslcd does in nss-ldapd. The NSS module code from nss-ldapd is used unmodified. I haven't tried this yet but it seems promising. Setting up a slapd instance with replication and this interface however seems more complex than installing nss-ldapd. They are also thinking about integrating a PAM module but don't know about the progress they've made. [1] http://www.openldap.org/lists/openldap-devel/200806/msg00000.html -- -- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
