# OpenLDAP users/login without PAM

## lcidw

This question has been asked by someone quite a long time ago, somewhere in 2005 if i remember correctly, and there was no answer back then. And it's still something i'd like to know, see what i run into, what is possible, before i start experimenting with it., which i'm planning to do very soon.

Is it possible to have network users with OpenLDAP (thus no manual account creation on every machine) without PAM.

Is it possible for users (beeing those network users, or normal accounts if that isn't possible) to login with SSH, or maybe just FTP without PAM.And to add one more question..

How or would RADIUS fit into this. Answer: RADIUS can get it's user data from LDAP.

I can't give a specific reason why i don't want to use PAM, i guess it's just an itch. Gentoo user after all  :Wink: .

Thanks in advance!Last edited by lcidw on Sat Jan 09, 2010 3:34 am; edited 1 time in total

----------

## aceFruchtsaft

IMHO it makes no sense not to use PAM on the one hand but to want to use an authentication plugin on the other.

PAM was written exactly for this reason: to provide a generic and standardized authentication framework which can be easily extended to offer additional authentication methods besides the traditional unix/shadow mechanism (such as LDAP).

So if you want to use LDAP and don't want to use PAM, go right ahead: all you have to do is to rewrite the authentication mechanism for any application you want to use (such as login, ssh, etc.) because without PAM these will only authenticate against the default local password database. 

Alternatively, you could write a generic authentication layer for all these apps and provide an LDAP backend. Then you will have duplicated PAM, most likely with more bugs and less flexibility.  :Wink: 

----------

## lcidw

 *aceFruchtsaft wrote:*   

> So if you want to use LDAP and don't want to use PAM, go right ahead: all you have to do is to rewrite the authentication mechanism for any application you want to use (such as login, ssh, etc.) because without PAM these will only authenticate against the default local password database.

 

No, my question is: Why PAM. There's _only_ PAM which can do this, when we have 1000's of distributions, 100's of databases and interfaces, and so on..

 *aceFruchtsaft wrote:*   

> Then you will have duplicated PAM, most likely with more bugs and less flexibility. 

 

Let me try to show why i wanted to do without PAM:

I never needed it so far, which is why i ditched it.

IMHO, i get a feeling that PAM wants to do eeeeeeverything, that it's way too big. Which is why simpler/cleaner solutions for parts of it turn up (like nss-ldapd (http://ch.tudelft.nl/~arthur/nss-ldapd)).

Besides that, PAM puts quite some setuid binaries on the system, maybe needed, doesn't mean i don't need to worry.

Quite some PAM related bugs.. https://bugs.gentoo.org/buglist.cgi?quicksearch=pam

Relatively frequent GLSA related to PAM.

I don't care much for flexibility.

----------

## ccp

As far as I know, the openssh and proftpd have buildin support for LDAP, if you configure correctly you will not need PAM.

I have same feeling about using PAM hence I was doing same thing you planed, I just finish my research, for each function you want on a server, there always have software support for LDAP without the requirement for PAM. BUT it become questionable if I were to install say 3~5 different server function each have its own way configuration using LDAP. This is something I am still trying to justify why not using PAM  :Rolling Eyes: 

----------

## nativemad

I have most of my services (web, mail, dns, ftp) configured to ask ldap directly instead of pam! The only exception is nginx!

But i had to configure the nss-stuff for proftpd to work correctly, so that uid/gid's are getting resolved.

Imho it's a bit of a security measure to have the control that for example neverever a mail-user can access the Mailserver via ssh (even if its just the lazy admin who forgot to disable that...   :Wink:  ) Furthermore, why should on a Mailserver with virtual users the MTA query ldap a second time (nss) to deliver Mails!? 

Ok, if you have a lot of services on one machine, then it's probably an option to go the other way around!   :Wink: 

----------

## lcidw

Well, i currently have a webserver with it's users defined in MySQL, using nsvsd. It's -just- nsvsd, the nsswitch.conf looks like this:

```
passwd:         compat nsvs

shadow:         compat nsvs

group:          compat nsvs
```

One piece of software, nscd (installed by default) can cache stuff, working as if they were local users, no software modification needed. This is why i'm wondering why i would need PAM, if something like nsvsd can do it this easily.

The drawback: Since nsvsd hasn't been developed since 2005 or so, it's subject for removal from the tree.

----------

## ccp

 *lcidw wrote:*   

> Well, i currently have a webserver with it's users defined in MySQL, using nsvsd. It's -just- nsvsd, the nsswitch.conf looks like this:
> 
> ```
> passwd:         compat nsvs
> 
> ...

 

I fail to understand you logic, if your concern is modify software, then PAM is designed with this in mind, on linux server almost everything want to use authentication process have PAM support build in. 

I thought your reason for dislike PAM is because it try to do too much, isn't the nsvs will be doing just as much?

----------

## lcidw

 *ccp wrote:*   

> I fail to understand you logic, if your concern is modify software, then PAM is designed with this in mind, on linux server almost everything want to use authentication process have PAM support build in. 
> 
> I thought your reason for dislike PAM is because it try to do too much, isn't the nsvs will be doing just as much?

 

You did fail to understand my logic indeed  :Wink: 

Nsvsd here, is just one package i needed to install, didn't need to modify (or add support) in other software, and like the apps don't know and don't care about nsvsd, nsvsd doesn't care about them either cause it simply doesn't have anything to do with them. Nsvsd is simply having users in my -allready existing anyway- database. That's all it does, an interface between nsswitch.conf and my MySQL db, simple and clean. Using PAM however..

My concern is to _not_ modify the existing software. Using PAM will require me to rebuild quite some software with PAM support (pam USE flag), and change their configuration files (like sshd_config), and i'll have quite some PAM libraries that can do way more then i need. Software needs to know about pam, pam needs to be configured for the software.

----------

## aceFruchtsaft

 *lcidw wrote:*   

> 
> 
>  and i'll have quite some PAM libraries that can do way more then i need. 
> 
> 

 

If you don't need them, just don't build them or don't include them in your auth/account/password/session/ stack. PAM is highly modular.

 *Quote:*   

> 
> 
> Software needs to know about pam, 
> 
> 

 

True.

 *Quote:*   

> 
> 
> pam needs to be configured for the software.

 

Not true. PAM does not care what software uses it. Actually this is one of it's benefits: you can configure only a single authentication stack for all your PAM-enabled software. To me this sounds way better than configuring each service separately to access LDAP.

----------

## ccp

 *lcidw wrote:*   

>  *ccp wrote:*   I fail to understand you logic, if your concern is modify software, then PAM is designed with this in mind, on linux server almost everything want to use authentication process have PAM support build in. 
> 
> I thought your reason for dislike PAM is because it try to do too much, isn't the nsvs will be doing just as much? 
> 
> You did fail to understand my logic indeed 
> ...

 OK, now it is clear, we are talking about a pre-existing condition, not general rules  :Surprised: 

I assume you pre-existing condition also include use flag "ldap" then? otherwise you will have to rebuild your software anyway  :Smile: 

If you have ldap flag pre-build then using PAM actually let you use LDAP without modify your existing software's configuration file. But then again I am talking using PAM which require you recompile. so just take this as reference.

----------

## pactoo

Not sure what I did exactly, it has been ages since I've done this on slackware, but way back there was no need for PAM, as slackware came without PAM, but using nsswitch(.conf) for LDAP Auth worked just fine. While I really cannot recall what I have done, you may want to do a little research in this direction.

----------

## lcidw

 *pactoo wrote:*   

> Not sure what I did exactly, it has been ages since I've done this on slackware, but way back there was no need for PAM, as slackware came without PAM, but using nsswitch(.conf) for LDAP Auth worked just fine. While I really cannot recall what I have done, you may want to do a little research in this direction.

 

Tehee, that's exactly what i want  :Smile:  Once i find some time again to play with it, i'll update the thread.

----------

