- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: which ldap authentification: pam or nss?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2003 06:48 AM
07-25-2003 06:48 AM
which ldap authentification: pam or nss?
I started reading documentation on HPUX-LDAP integretion...
Beside using a NIS-LDAP gateway, I see that LDAP can be accessed/queried either by the pam_ldap or by nss_ldap. I don't really understand with we have the 2 access type, when and why should we used one or the other.
Most of all, which one should I install?
Thanks for your help,
Sundance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2003 06:57 AM
07-25-2003 06:57 AM
Re: which ldap authentification: pam or nss?
But, pam_ldap seem to be the way to go, based on my talks with variouis folks at HP.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2003 07:02 AM
07-25-2003 07:02 AM
Re: which ldap authentification: pam or nss?
we are running HPUX 11i servers.
We have a ADS directory (but using ADS is not mandatory).
First, we want to use netgroups for our NFS drive 'ACL'.
Then I want to centralise account information... I don't have much now to centralize but I might as well start now!
Can you explain what is the difference between pam and nss ?
Thanks,
S
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2003 09:54 AM
11-19-2003 09:54 AM
Re: which ldap authentification: pam or nss?
In a nutshell, pam is for authenication and nss is for name service.
pam_ldap provides a new authentication method which allows HP-UX box to use ldap server for authenication.
nss_ldap provides a new name service that allows user to look up information, such as group/passwd/netgroup/protcol/hostname from the ldap server.
When should you used one or the other depends what you are trying to accomplish.
For example, if you issue command such as login/su/remsh, these commands are using both pam_ldap and nss_ldap.
Other command such as who, gwget, finger is using nss_ldap only. (just queries name information, and no authentication is involved.)
Both pam_ldap and nss_ldap are installed during the setup of HP-UX LDAP integration.
But you can always select your authenication method and names service by customizing the pam.conf and nsswitch.conf
files.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2003 10:18 AM
11-19-2003 10:18 AM
Re: which ldap authentification: pam or nss?
Works well. We just started using it a couple of weeks ago. Even when expired the users passwords on ADS, when they logged onto our HPUX they were prompted to change their password and it updated the ADS! (cool...)
HTH
-- Rod Hills
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2003 03:03 AM
12-17-2003 03:03 AM
Re: which ldap authentification: pam or nss?
pam_ldap
pam_ldap is (as its name says) for authentification. authentification is the process of checking the password given by the user at the prompt and the password in stored in the database.
pam_ldap send "as is" the password given by the user to the ldap server. The ldap server crypt the password and compares it with the one strored in its database. The ldap server answers with an OK if the password was good. The benefits is that
1) the password encryption is plateform independant (not necessarily crypt format)
2) the password policy is applied on the server, plateform independant. Nothing to configure on the clients
Drawbacks:
The password is send uncrypted unless you use ldaps (witch is not supported by ldapux).
HP recommend the use of secure tunnel like stunnem or IPSec/9000. I have not tested it.
nss_ldap
nss (name service switch) is a name service switch i.e. switch between different database (files, nis, ldap).
For authentification, nss is call by the pam_unix (trhough getpwent()).
It tries to retrieve the password field in the database; prompt for a password, encrypt the password and then compare the 2 encrypted passwd.
1) because of this behavior, password must be in crypt format in the database (the ldap directory).
2) the password is crypted when send on the network
So you don't HAVE TO configure pam_ldap AND nss_ldap.
I configure pam.conf with only pam_unix (default configuration) and added ldap in nsswitch.conf. Again, this is because nss is called by pam_unix.
Next step: use ADS as an ldap server and kerberos authentification... but I'll keep this for next year!!
Please send comment if you disagree!
Sundance