System Administration
Showing results for 
Search instead for 
Did you mean: 

which ldap authentification: pam or nss?


which ldap authentification: pam or nss?


I started reading documentation on HPUX-LDAP integretion...
Beside using a NIS-LDAP gateway, I see that LDAP can be accessed/queried either by the pam_ldap or by nss_ldap. I don't really understand with we have the 2 access type, when and why should we used one or the other.
Most of all, which one should I install?

Thanks for your help,

Exalted Contributor

Re: which ldap authentification: pam or nss?

The answer depends on your situation, which you have not told us anything about, not even your server OS.

But, pam_ldap seem to be the way to go, based on my talks with variouis folks at HP.

Steven E Protter
Owner of ISN Corporation

Re: which ldap authentification: pam or nss?

we are running HPUX 11i servers.
We have a ADS directory (but using ADS is not mandatory).

First, we want to use netgroups for our NFS drive 'ACL'.
Then I want to centralise account information... I don't have much now to centralize but I might as well start now!

Can you explain what is the difference between pam and nss ?

Occasional Visitor

Re: which ldap authentification: pam or nss?

In a nutshell, pam is for authenication and nss is for name service.

pam_ldap provides a new authentication method which allows HP-UX box to use ldap server for authenication.

nss_ldap provides a new name service that allows user to look up information, such as group/passwd/netgroup/protcol/hostname from the ldap server.

When should you used one or the other depends what you are trying to accomplish.

For example, if you issue command such as login/su/remsh, these commands are using both pam_ldap and nss_ldap.

Other command such as who, gwget, finger is using nss_ldap only. (just queries name information, and no authentication is involved.)

Both pam_ldap and nss_ldap are installed during the setup of HP-UX LDAP integration.

But you can always select your authenication method and names service by customizing the pam.conf and nsswitch.conf
Honored Contributor

Re: which ldap authentification: pam or nss?

If you have a windows ADS, then for password authentication you use pam_ntlm.

Works well. We just started using it a couple of weeks ago. Even when expired the users passwords on ADS, when they logged onto our HPUX they were prompted to change their password and it updated the ADS! (cool...)


-- Rod Hills
There be dragons...

Re: which ldap authentification: pam or nss?

I went trough all the docs one more time and made some tests... here's what I understood. My focus is the authentification, specialy the password being send on the network.

pam_ldap is (as its name says) for authentification. authentification is the process of checking the password given by the user at the prompt and the password in stored in the database.
pam_ldap send "as is" the password given by the user to the ldap server. The ldap server crypt the password and compares it with the one strored in its database. The ldap server answers with an OK if the password was good. The benefits is that
1) the password encryption is plateform independant (not necessarily crypt format)
2) the password policy is applied on the server, plateform independant. Nothing to configure on the clients
The password is send uncrypted unless you use ldaps (witch is not supported by ldapux).
HP recommend the use of secure tunnel like stunnem or IPSec/9000. I have not tested it.

nss (name service switch) is a name service switch i.e. switch between different database (files, nis, ldap).
For authentification, nss is call by the pam_unix (trhough getpwent()).
It tries to retrieve the password field in the database; prompt for a password, encrypt the password and then compare the 2 encrypted passwd.
1) because of this behavior, password must be in crypt format in the database (the ldap directory).
2) the password is crypted when send on the network

So you don't HAVE TO configure pam_ldap AND nss_ldap.

I configure pam.conf with only pam_unix (default configuration) and added ldap in nsswitch.conf. Again, this is because nss is called by pam_unix.

Next step: use ADS as an ldap server and kerberos authentification... but I'll keep this for next year!!

Please send comment if you disagree!