When configuring LDAP authentication on Linux systems, two critical components come into play: PAM (Pluggable Authentication Modules) and NSS (Name Service Switch). While they serve different purposes, their interaction is crucial for seamless authentication.
NSS is responsible for name resolution - it determines where system information (like user accounts, groups, hosts) is stored and retrieved from. The /etc/nsswitch.conf file controls this behavior. For example:
passwd: files ldap
group: files ldap
shadow: files ldap
PAM, on the other hand, handles the actual authentication process through stackable modules. PAM configuration is typically found in /etc/pam.d/ files.
Here's what happens during authentication:
- The application calls PAM for authentication
- PAM modules (like
pam_unixorpam_ldap) are invoked - If using
pam_unix, it may call NSS to resolve user information - NSS checks its sources (files, LDAP) based on
nsswitch.conf
For a complete LDAP setup, you typically need both configured. Here's a minimal working example:
nsswitch.conf:
passwd: ldap files
group: ldap files
shadow: ldap files
PAM configuration (e.g., /etc/pam.d/common-auth):
auth sufficient pam_ldap.so
auth required pam_unix.so try_first_pass
While you can authenticate with just NSS (as your tests showed), PAM provides additional features:
- Session management
- Password policies
- Multi-factor authentication
- Account expiration handling
To troubleshoot authentication issues:
# Check NSS resolution
getent passwd username
# Test PAM authentication
pamtester login username authenticate
When using both NSS and PAM with LDAP:
# Enable caching in nscd (Name Service Cache Daemon)
enable-cache passwd yes
enable-cache group yes
enable-cache shadow yes
Remember that while minimal configurations might work, a proper production setup should include both NSS and PAM configurations for complete functionality and security.
In Linux authentication systems, PAM (Pluggable Authentication Modules) and NSS (Name Service Switch) serve distinct but complementary purposes:
# Typical nsswitch.conf configuration
passwd: files ldap
group: files ldap
shadow: files ldapNSS handles name resolution - it's responsible for locating user/group information across different sources (files, LDAP, etc.). This includes:
- Mapping UIDs to usernames
- Resolving group memberships
- Finding home directory paths
Your observation about LDAP being used twice is correct in many configurations. Here's why:
# Typical PAM stack with LDAP
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_passThe dual LDAP usage occurs because:
- PAM's pam_ldap performs the actual authentication (password verification)
- NSS with LDAP then retrieves user attributes (UID, GID, home directory, etc.)
For a minimal LDAP-only setup that works:
# /etc/nsswitch.conf minimal config
passwd: ldap
group: ldap
shadow: ldap
# /etc/pam.d/common-auth minimal config
auth sufficient pam_ldap.so
account required pam_ldap.so
password required pam_ldap.so
session optional pam_ldap.soYour test results reveal an important nuance - some PAM modules (like pam_unix) actually depend on NSS internally. This creates the observed behavior where:
- Removing NSS LDAP breaks authentication because pam_unix can't find user info
- PAM alone can work if configured to bypass NSS-dependent modules
When both PAM and NSS use LDAP, you might want to enable caching:
# Enable nscd caching
service nscd start
# Configure pam_ldap caching
auth sufficient pam_ldap.so use_first_pass cache
To troubleshoot authentication flow:
# Enable NSS debugging
export NSS_DEBUG=1
# Enable PAM debugging
auth debug pam_ldap.so debug
Check system logs (/var/log/auth.log) for detailed authentication attempts.
For systems where you want to minimize LDAP calls:
- Use SSSD instead of direct LDAP
- Implement local caching proxies