libpam-ldap or libpam-ldapd?

ubuntu debian authentication ldap pam
7,827

Solution 1

I am very fond of libpam-ldapd, have been using it for a year now in production on quite a few Ubuntu servers. I can recommend it over libpam-ldap.

The project is originally called nss-pam-ldapd and on its homepage you can find a list of its biggest advantages over the old libpam-ldap package.

Edit: In conjunction with libpam-ldapd on Ubuntu you should also look into the auth-client-config package to correctly configure PAM et al.

Solution 2

While libnss-ldapd is better than libnss-ldap in practically every way, the libpam-ldapd has one major deficiency: it can't handle LDAP ppolicy, and I couldn't find any information about password change using LDAP Extended Operation (it may handle it transparently).

If you have a "shadow" free LDAP (if you use ppolicy you most certainly will if you use OpenLDAP as both ppolicy and smbk5pwd don't update the shadow password ageing information) you need libpam-ldap or users won't be notified that their password will expire soon.

Thankfully, you can mix and match them. I've been using libnss-ldapd together with libpam-ldap for over a year now without any problems.

Solution 3

One reason we have been forced to convert to libpam-ldapd is that we use SSL for our LDAP servers. Thanks to libgcrypt "brokenness" (see Debian bug 566351 or Ubuntu bug 23252, both entertaining), this means that sudo stops working when libpam-ldap & libnss-ldap are used with LDAP/SSL.

Your options if you want to use SSL with LDAP (and why wouldn't you?) are to recompile libpam-ldap with OpenSSL or use libpam-ldapd.

Share:
7,827

Related videos on Youtube

jldugger
Author by

jldugger

DevOps Engineer

Updated on September 18, 2022

Comments

  • jldugger
    jldugger almost 2 years

    I'm setting up LDAP authentication on my personal VPS, and Ubuntu has two packages for the same purpose: libpam-ldap and libpam-ldapd. Which should I use?

  • jldugger
    jldugger almost 13 years
    Wow, that's a pretty crazy thread. But it looks like they're dropping libgcrypt in favor of nettle?
  • Zanchey
    Zanchey almost 13 years
    Hasn't happened yet. Anyhow, lipam-ldapd is probably "better" from an architectural purity and security point of view, but if nslcd ever crashes you might be SOL.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

LDAP/Pam: No passwd entry for user while getent passwd shows all LDAP users
While trying to ssh, pam_ldap always sends the password "INCORRECT" causing bind to fail
pam_sss access denied with kerberos authentication ok
Public key authentication for LDAP users using local authorized_keys
Cyrus on CentOS with sasl / pam / ldap
How to use Linux username and password with Subversion?
smbpasswd: Failed to add entry for user
Authentication failed of pure-ftpd
PAM / LDAP authentication with Ubuntu 10.04
How to only allow users and/or groups access certain client machines that are connected to an openldap server?