libnss_ldap
Andy Rabagliati
andyr at wizzy.com
Fri Apr 7 09:45:48 BST 2006
On Thu, 06 Apr 2006, Jerry Haltom wrote:
> Run:
>
> getent passwd
> getent shadow
>
> NSS is responsible for retrieving a number of named "tables". They are
> passwd, shadow, group, hosts, etc. Anything you see in /etc/nsswitch.
> You can use getent to query one of those NSS tables.
>
> pam_unix authenticates users by comparing the password entered to the
> password in the passwd (or shadow) NSS tables. Normally, these NSS
> tables are mapped to /etc/shadow or /etc/passwd, which are local on the
> box., and shadow is only readable by root. Using NSS to map them to LDAP
> queries is fine.
>
> However, this means you are passing passwords or hashes over the LDAP
> connection to the hosts, to make up their NSS tables. Any user can query
> for one of these records, and get another users password.
>
> If I'm wrong let me know, however.
"getent passwd" indeed lists my LDAP users in addition to local users,
and a crypt'ed password is listed also for LDAP users.
Thanks for your explanation, it is a great help. Learn something new
every day.
Cheers, Andy!
More information about the ubuntu-devel
mailing list