# LDAP authentication without PAM

## Scorpion265

Hello, all the walkthroughs and howto's I have found for LDAP authentication use PAM. I don't have PAM installed, and would rather not. Can someone tell me if it's possible to do this? if so can you post a link or type up what you did? Thanks in advance!   :Very Happy: 

----------

## Scorpion265

bump, and also, would the nss_ldap be enough for system authenication? or am I going to need pam to allow this. I don't not need PAM, I'd just rather not use it.

----------

## UberLord

nss_ldap just resolves UID's to names and back again.

pam_ldap handles the authentication part. No the question becomes, what applications? Some support LDAP directly so you don't need PAM. However, others such as vsftpd don't support LDAP so you will need PAM - or something it supports.

What's so bad about PAM?

----------

## Scorpion265

 *UberLord wrote:*   

> nss_ldap just resolves UID's to names and back again.
> 
> pam_ldap handles the authentication part. No the question becomes, what applications? Some support LDAP directly so you don't need PAM. However, others such as vsftpd don't support LDAP so you will need PAM - or something it supports.
> 
> What's so bad about PAM?

 

So then I would be able to login localy, use ssh, and samba with out pam? Just build them with LDAP support? The reason I don't use pam is just for simplicity. I was a slackware user before gentoo, and was able to use the system without PAM, and I'd like to keep it that way. I've heard that it causes problems for some people, and from what I understand, it's not maintained well.

----------

## To

Or you may use pam and do all the rest, smb_pam it's the answer to your problem... I do have the same question as UberLord, why not pam?

Tó

----------

## Scorpion265

 *To wrote:*   

> Or you may use pam and do all the rest, smb_pam it's the answer to your problem... I do have the same question as UberLord, why not pam?
> 
> Tó

 

I explained the whole no PAM thing in the post above. All I have to do is to recompile each individual service with LDAP support. So I just need to identify what package the login command is apart of. Not the PAM login either  :Wink: 

----------

## UberLord

 *Scorpion265 wrote:*   

> I explained the whole no PAM thing in the post above.

 

No, you just said you would rather not have it. I'd like to know why? Do you think it's insecure, error prone or just a bad idea?

----------

## Scorpion265

 *UberLord wrote:*   

>  *Scorpion265 wrote:*   I explained the whole no PAM thing in the post above. 
> 
> No, you just said you would rather not have it. I'd like to know why? Do you think it's insecure, error prone or just a bad idea?

 

I'll be honest, I think it's poorly maintained, as well as insecure. If I can build direct support for a protocol in a package I'd much rather do that. All I had to do to get the login working right with ldap was recompile shadow with ldap support, as well as samba, and ssh. Everything is authenticating seemlessly now  :Very Happy: . I think I am going to put together a howto and slap it up on the gentoo wiki.

----------

## mmairs

You still about?  Ever write that howto?  Thanks...

----------

## dman777

I don't mind using pam, but I would like to see this wiki also. It's all about the freedom of customizing you system the way you want.

----------

## Genone

 *Scorpion265 wrote:*   

> All I have to do is to recompile each individual service with LDAP support. So I just need to identify what package the login command is apart of.

 

Assuming those services/commands support LDAP, which needs much more than just linking in another library. And it's not just the login command, you'll also have to change passwd, useradd and many more.

----------

