Re: SSL packages (LDAP PAM NSS) +
What I am wondering about is:
a) Does anyone maintain ssl versions of nss-, pam- ldap and openldap 2.0.1x?
Over the last two days I just completed converting my development
environment to a fully LDAP NSS/PAM environment in preparation of
converting the entire data center.
I used the slapd, libpam-ldap, and libnss-ldap (plus dependencies) packages
from Woody to do so. I also used the PADL migration tools (maybe someone
should package these and put them as recommended for the two libXXX-ldap
None of this supports SSL. However, you can get around this two ways,
neither of which I have yet done:
1) Get the source packages and recompile all of them with SSL support enabled
2) Use stunnel (or SSH or whatever) to set up SSL tunneling
I don't intend to do either for now. If you find an easier way (a
prepackaged .deb way, preferably) please let me know. I did investigate
doing #1, but the sheer number of options to openldap combined with my
minimal knowledge of changing Debian package configuration prior to the
simple build, stopped me until I had more time on my hands.
On the other hand, I would be very interested to know if you or anyone has
a PAM/NSS/LDAP installation on Debian using slave LDAP servers as hot
backups. I haven't seen any documented way of doing this anywhere, such as
providing a list of servers which can be attempted.
For PAM, however, I suppose it's relatively simple to do something like:
auth sufficient pam_ldap.so
auth sufficient pam_ldap.so config=/etc/pam_ldap-slave.conf
auth required pam_unix.so nullok try_first_pass
(Although I haven't tried it yet)
On the other hand, I do not yet see a way to do this with NSS. I would
I would like to advise you to ensure at least a+r permissions on
/etc/nsswitch.conf. If you do not, then simple things like getent networks
will not work for non-root users. The installation recommends mode 0600
which I found does NOT work because non-root users running programs using
the glibc nss will not be able to get the answers from the now-depopulated