Linux Services Management using NSS and PAM


As part of integrating everything into LDAP, I needed to integrate Linux authentication and naming services into LDAP.


Linux in general and CentOS in particular uses Name Service Swith (NSS) for name services and Pluggable Authenticatoin Module (PAM) for authentication. Thankfully, PADL provides nss_ldap and pam_ldap for using NSS and PAM with an LDAP backend. CentOS comes with both nss_ldap and pam_ldap.

nss_ldap and pam_ldap


Our configuration files (/etc/ldap.conf and /etc/nsswitch.conf) are simple. There is little to say that is not already said by the comments of the files.

In addition to using the configuration files, I ran 'authconfig' and enabled LDAP. This makes the needed changes to the PAM configuration files.

OpenLDAP Configuration

There are two schemas for storing Network Information Service information in LDAP: RFC2307 and RFC2307bis, and nss_ldap and pam_ldap have support for both. While RFC2307bis never made it past the Internet Draft stage, it has some advantages that have have caused it to survive. One thing of these advantages is that accounts in a Posix group can be represented by the account's LDAP DN rather than the account's UID. This ensures that the account entries in a group will be unambiguous and allows the groups to be used in the OpenLDAP Access Control Lists (ACLs). As a result, I use the RFC2307bis schema rather than the RF2307 schema.

While CentOS ships with the RFC2307 schema (/etc/openlap/schema/nis.schema), it does not ship with the RFC2307bis schema. However, SuSE does ship with the RFC2307bis schema (rfc2307bis.schema), so I copied it from the SuSE OpenLDAP package. In order to make it work, I had to create a modified rfc2307bis.schema from the schema copied form SuSE.