Split authentication and NSS lookups for users and groups to different servers

Posted on

Split authentication and NSS lookups for users and groups to different servers – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, ldap, openldap, , .

I’ve asked this question previously: Multiple Bind and base DNs in ldap.conf

Since that previous question was answered in the negative, I’m looking for other options such as splitting authentication and NSS lookups (as suggested in the answer provided in the link above).

How is authentication and NSS lookups split into different servers?

Solution :

It’s tricky. You need a PAM module that performs LDAP authentication, but doesn’t use the same configuration as your LDAP plugin for NSS. This is problematic because most distros assume you’re using an integrated LDAP solution.

  • PADL’s pam_ldap module looks like it can be configured to use a different configuration file than the one used by PADL’s LDAP plugin for NSS.
    • Be advised that PADL’s implementation of LDAP for NSS does not involve a daemon like nscld and is considered inferior for that reason.
    • If your distro allows you to use nslcd and PADL’s pam_ldap side by side, you can try that. (not likely) The packages are usually mutually exclusive because they provide similar functionality. Unless the NSS plugin is packaged separately, there will be a file conflict. (libnss_ldap.so)
  • Take a look at pam_sssd, if your distro supplies it. I think it might be possible to use these side by side, but it relies upon sssd and I haven’t set that up before.
  • Custom compile a pam_ldap implementation and configure it to use a separate configuration file. You’re on your own for this. Of note, PADL’s pam_ldap looks like it can be built separately from its NSS library.
  • If you have a Kerberos implementation (i.e. Active Directory), you can use pam_krb5.so for authentication and point NSS at LDAP…but be warned that Kerberos requires its own subset of knowledge to configure correctly.

No matter what, this is going to be time consuming. You may be better off replicating the necessary data between your two LDAP servers so that you can point your server at a single one.

Leave a Reply

Your email address will not be published.