This post provides a bit more information on that provided in the previous post Configuring stock SL6 to use DICE and LDAP changes. The main change as noted in that post is “that the package nss_ldap has been replaced by two packages – pam_ldap (containing /lib/security/pam_ldap.so and /etc/pam_ldap.conf) and nss-pam-ldapd (containing /usr/lib/libnss_ldap.so, /usr/sbin/nslcd and /etc/nslcd.conf)”.
The reasons for, and details of, this change are summarised well in Arthur de Jong’s design document.
All nss ldap lookups now go through the nslcd daemon and the configuration information which was previously all held in /etc/ldap.conf is now split between /etc/nslcd.conf (for nslcd) and /etc/pam_ldap.conf (for pam).
The lcfg-openldap component changes necessitated by this are as follows:
- There is now an openldap resource, nss_package, which should be set to either nss_ldap (f13, sl5) or nss-pam-ldapd (sl6)
- If nss_package is set to nss-pam-ldapd, the component will configure /etc/nslcd.conf and /etc/pam_ldap.conf (to the best of our knowledge, no lcfg user currently uses pam ldap authentication, so this file is minimally configured – it could of course be enhanced).
- /etc/ldap.conf is always still generated, in case other things rely on it (this will be removed in time, for nss-pam-ldapd systems)
- The resources required for nss_ldap and nss-pam-ldapd are different (see the man page for details)
- The nslcd daemon is not currently managed by the openldap componen (it’s started and stopped by the boot component) but will be restarted if lcfg-openldap modifies nslcd.conf. This is likely to change, with either the nslcd daemon being completely managed by lcfg-openldap, or its own component.
- We should consider use of nss_ldap to be deprecated in favour of nss-pam-ldapd
- These changes are implemented in lcfg-openldap-3.1.61-1 (with a
schema version of 5).