The answer depends on your situation, which you have not told us anything about, not even your server OS.

But, pam_ldap seem to be the way to go, based on my talks with variouis folks at HP.

SEP

Opps...
we are running HPUX 11i servers.
We have a ADS directory (but using ADS is not mandatory).

First, we want to use netgroups for our NFS drive 'ACL'.
Then I want to centralise account information... I don't have much now to centralize but I might as well start now!

Can you explain what is the difference between pam and nss ?

Thanks,
S

In a nutshell, pam is for authenication and nss is for name service.

pam_ldap provides a new authentication method which allows HP-UX box to use ldap server for authenication.

nss_ldap provides a new name service that allows user to look up information, such as group/passwd/netgroup/protcol/hostname from the ldap server.

When should you used one or the other depends what you are trying to accomplish.

For example, if you issue command such as login/su/remsh, these commands are using both pam_ldap and nss_ldap.

Other command such as who, gwget, finger is using nss_ldap only. (just queries name information, and no authentication is involved.)

Both pam_ldap and nss_ldap are installed during the setup of HP-UX LDAP integration.

But you can always select your authenication method and names service by customizing the pam.conf and nsswitch.conf
files.

If you have a windows ADS, then for password authentication you use pam_ntlm.

Works well. We just started using it a couple of weeks ago. Even when expired the users passwords on ADS, when they logged onto our HPUX they were prompted to change their password and it updated the ADS! (cool...)

HTH

-- Rod Hills

I went trough all the docs one more time and made some tests... here's what I understood. My focus is the authentification, specialy the password being send on the network.

pam_ldap
pam_ldap is (as its name says) for authentification. authentification is the process of checking the password given by the user at the prompt and the password in stored in the database.
pam_ldap send "as is" the password given by the user to the ldap server. The ldap server crypt the password and compares it with the one strored in its database. The ldap server answers with an OK if the password was good. The benefits is that
1) the password encryption is plateform independant (not necessarily crypt format)
2) the password policy is applied on the server, plateform independant. Nothing to configure on the clients
Drawbacks:
The password is send uncrypted unless you use ldaps (witch is not supported by ldapux).
HP recommend the use of secure tunnel like stunnem or IPSec/9000. I have not tested it.

nss_ldap
nss (name service switch) is a name service switch i.e. switch between different database (files, nis, ldap).
For authentification, nss is call by the pam_unix (trhough getpwent()).
It tries to retrieve the password field in the database; prompt for a password, encrypt the password and then compare the 2 encrypted passwd.
1) because of this behavior, password must be in crypt format in the database (the ldap directory).
2) the password is crypted when send on the network

So you don't HAVE TO configure pam_ldap AND nss_ldap.

I configure pam.conf with only pam_unix (default configuration) and added ldap in nsswitch.conf. Again, this is because nss is called by pam_unix.

Next step: use ADS as an ldap server and kerberos authentification... but I'll keep this for next year!!

Please send comment if you disagree!

Sundance