Subject: Re: integrating PAM
To: Byron Servies <>
From: Jason R Thorpe <>
List: current-users
Date: 01/23/2003 13:50:15
On Thu, Jan 23, 2003 at 01:35:31PM -0800, Byron Servies wrote:

 > p.s.  Yes, I want LDAP authentication too.  No, I don't
 > know what the problems/benefits/limitations of this
 > approach are.  Yes, I know it's possible because other
 > platforms have done it.  No, I don't know how to do it
 > myself.  Yet.

See my last post about semantics :-)

LDAP is *not* an authentication mechanism.  LDAP is a means of looking
up data -- in this case, user information.  It's really more appropriate
to think of LDAP in the context of NSS, etc.:

[ from /etc/nsswitch.conf ]

passwd: files, ldap
group: files, ldap

Now that you have the user information from the LDAP database (which might
include their traditional-style unix password), you want to authenticate that

[ from /etc/hypothetical_auth_scheme.conf ]

login: krb5, unix

I think it's important to recognize the non-coupling of the user information
lookup with the actual authentication mechanism.

Now, for something like RADIUS which, as I understand it (and please correct
me if I'm wrong, because I don't know very much about it) specifies both
the user lookup and the way the password is verified, then you might have
something like this:

[ from /etc/nsswitch.conf ]

passwd: files, radius

[ from /etc/hypothetical_auth_scheme.conf ]

login: radius, unix

        -- Jason R. Thorpe <>