Re: Question about system accounts in LDAP.
On Tue, Aug 12, 2003 at 05:13:29PM +0300,
????? ????? <vasil@ludost.net> wrote
a message of 35 lines which said:
> that, to have the session and etc. things, i need to use the NSS system
> (/etc/nsswitch.conf) with the nss-pgsql module, not the PAM stuff
Of course, because some functions do not require authentication (the
work of PAM) but still requires mappings of name2uid or the opposite.
Think of 'ls -l', for instance. The inode of a file stores an uid, not
a name. How can ls display a name? Because it calls getpwuid(3), which
in turn relies on NSS. (Try it: once logged in, shut down your LDAP
server - and the nscd if it exists. Then, 'ls -l ~'.)
> e.g. you practically can't make ssh to authenticate diretctly from
> database, without the help of something like /etc/passwd (you need
> the UID, homedir, etc. info).
No, no, and no. You can have a ssh authentication without anything in
/etc/passwd. You need NSS, true (sshd looks up to see if the user name
exists, before attempting authentication, and so getpwnam(3) must
succeed) but not /etc/passwd if PAM and NSS both use LDAP.
> So, my question is, am I wrong, or you always have to use the NSS
> modules?
In practice, yes, using Unix without NSS is too painful (think about
ps, ls, id, etc).
> If so, why there is pam, if you can use NSS,
PAM does a lot of things that NSS does not do. NSS only manages
mappings. PAM can create directories, forces you to use two or more
authentication methods, etc.
So, in practice, you typically need both PAM and NSS.
Reply to: