:: Re: [DNG] Implementing directory se…
Top Page
Delete this message
Reply to this message
Author: wirelessduck
Date:  
To: cacho
CC: dng
Subject: Re: [DNG] Implementing directory services/Kerberos
On Fri, 9 Nov 2018 at 10:02, Héctor González <cacho@???> wrote:
>
>
> >> Quoting wirelessduck@??? (wirelessduck@???):
> > [snip]
> >>> So my next question is, whats the recommended package to authenticate
> >>> with LDAP and allow users to login to a desktop via their LDAP
> >>> account? I've seen various options for PAM and NSS, but do I need to
> >>> configure both or just one?
> > [snip]
>
> You can use libpam-ldap for this, it handles the authentication part.
> NSS is used to "populate" your passwd and group files from ldap, if you
> need it. Your users will work with just the PAM part, but It´s easier
> to use NSS so you can change permissions using usernames instead of
> UIDs.
>
> A "getent passwd user" will require libnss-ldap (and a working
> /etc/libnss-ldap.conf which should be autogenerated)
>
> If you choose to use nscd, you should replace the suggested-size passwd
> option with a sufficient size for your expected amount of users, the
> manual says it is a hash table, so it should be a prime number bigger
> than double the amount of expected users -hint, the primes package from
> bsdgames can find primes for you).
>
> nscd acts as a cache for nss calls so you don´t flood your ldap server
> with queries.
>
> There is also nslcd, which I remember using with samba-ad, as nscd
> didn´t like that ldap for some reason, and it has a different config
> file /etc/nslcd.conf
>
> I´d use nscd first, and if you run into trouble try nslcd.
>


Thanks,

nslcd appears to be working fine here now. I don't think I need to
fiddle with any nscd settings at this point in time.

--Tom

--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html