Michael Oberg - Freiberuflicher EDV-Berater und Software-Entwickler
Frame Version


The "Pluggable Authentication Modules" (PAM) are responsible for user authentication of most Linux services. The module pam_ldap saves the passwords, user accounts, UNIX groups and other data in the LDAP database. This is important for access rights across mixed-mode networks (such as Linux and Windows).

For compiling pam_ldap see also the sections nss_ldap-207 and pam_ldap-164 in the script COMPILE-MYLINUX. The patch nss_ldap.patch corrects a too strong restriction of the "configure" script: Under myLinux there are newer versions of aclocal and automake installed than the versions required by the "configure" script. The version inquiry is disabled thereby.

Connection to LDAP

The connection between pam_ldap and nsswitch (name service switch) is made by file /etc/ldap.conf. This file is only a soft link to the file /etc/openldap/ldap.conf, which is the configuration file for the client tools of openLDAP (ldapsearch, ldapadd, ldapdelete etc.).

The file /etc/nsswitch.conf indicates, which services of the name service switch are changed over to LDAP. The conversion is of the form "files ldap", i.e. the original configuration files /etc/passwd, /etc/shadow and /etc/group are first queried. If no entry is found then, the query is passed to openLDAP.

Connection to the services

The authentication of individual services is regulated by configuration files in the /etc/pam.d directory. These files mostly correspond to the files delivered with pam_ldap, apart from the commented calls of cracklib and pwdb (both are not installed at this time).

Adjustments are made for the files of the mail systems, the web server and the secure shell. There are two different regulations, represented by the files /etc/pam.d/pop and /etc/pam.d/sshd. The first allows only LDAP users to authenticate themselves, it denies access for users which are only defined in the UNIX password system /etc/passwd so as the privileged system users (root, bin etc.). Additionally this file allows only the authentication itself, not a UNIX session, because this is not required by the mail system or the web services.

On the other side the file of the secure shell, /etc/pam.d/sshd, enables login and a UNIX session, not only for LDAP users but for all system users from the /etc/passwd file, too.

The file /etc/pam.d/pop is responsible for a number of services. For this reason there is a number of soft links in the /etc/pam.d directory to this file. See in the output of the command ls -l /etc/pam.d/.