Difference between NSS-LDAP and PAM_LDAP

The Goal of my work will be, that different Services could be authenticate successful trough PAM over different Ldap Server.

Example:

squid Service: /etc/pam.d/squid

auth        required       pam_env.so
auth        sufficient     pam_unix.so likeauth nullok
auth        sufficient     pam_ldap.so config=/etc/pam_server1_ldap.conf use_first_pass
auth        sufficient     pam_ldap.so config=/etc/pam_server2_ldap.conf use_first_pass
auth        required       pam_deny.so

account     required       pam_unix.so broken_shadow
account     sufficient     pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore]  pam_ldap.so config=/etc/pam_server1_ldap.conf
account     [default=bad success=ok user_unknown=ignore]  pam_ldap.so config=/etc/pam_server2_ldap.conf
account     required       pam_permit.so

password    sufficient     pam_unix.so nullok use_authtok md5 shadow
password    sufficient     pam_ldap.so config=/etc/pam_server1_ldap.conf use_authtok
password    sufficient     pam_ldap.so config=/etc/pam_server2_ldap.conf use_authtok
password    required       pam_deny.so

session optional       pam_ldap.so config=/etc/pam_server1_ldap.conf
session optional       pam_ldap.so config=/etc/pam_server2_ldap.conf


The Proplem at the moment is, that i can define different Config Files for PAM_LDAP. But the NSS-LDAP module reads only the /etc/ldap.conf. If is possible to define different Config Files for NSS_LDAP.

If it possible to declare two different Server for PAM_LDAP?
Man Page for pam_ldap says:
config=<path>
              Specifies that pam_ldap should use the configuration file in path instead of ldap.conf to retrieve its  global  configuration.  Configuring multiple instances of pam_ldap for the same service with different configuration files is not supported, because the configuration information is cached.


Why i need the NSS-LDAP Module for authenticate?

The failure of my was that pam_ldap not supports password and session.

The next proplem is the possibility for more than one ldap server.
I would like to talk with different Ldap Server in one PAM Stack.

Proplem is that the config option allowed only one Ldap Server ,because the Config Option are cached trough pam_ldap.

I have seen that a patch for this proplem exist here
http://www.nabble.com/Calling-pam_ldap-more-then-once-td4459479.html#a25007138

If there any another possibility for multiple instances of Pam_ldap in the pam Stack?


If there any another possibility for multiple instances of Pam_ldap in the pam Stack?

Sven.Bettscheider wrote:

The Goal of my work will be, that different Services could be authenticate successful trough PAM over different Ldap Server.

Example:

squid Service: /etc/pam.d/squid

auth        required       pam_env.so
auth        sufficient     pam_unix.so likeauth nullok
auth        sufficient     pam_ldap.so config=/etc/pam_server1_ldap.conf use_first_pass
auth        sufficient     pam_ldap.so config=/etc/pam_server2_ldap.conf use_first_pass
auth        required       pam_deny.so

account     required       pam_unix.so broken_shadow
account     sufficient     pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore]  pam_ldap.so config=/etc/pam_server1_ldap.conf
account     [default=bad success=ok user_unknown=ignore]  pam_ldap.so config=/etc/pam_server2_ldap.conf
account     required       pam_permit.so

password    sufficient     pam_unix.so nullok use_authtok md5 shadow
password    sufficient     pam_ldap.so config=/etc/pam_server1_ldap.conf use_authtok
password    sufficient     pam_ldap.so config=/etc/pam_server2_ldap.conf use_authtok
password    required       pam_deny.so

session optional       pam_ldap.so config=/etc/pam_server1_ldap.conf
session optional       pam_ldap.so config=/etc/pam_server2_ldap.conf


The Proplem at the moment is, that i can define different Config Files for PAM_LDAP. But the NSS-LDAP module reads only the /etc/ldap.conf. If is possible to define different Config Files for NSS_LDAP.

If it possible to declare two different Server for PAM_LDAP?
Man Page for pam_ldap says:
config=<path>
              Specifies that pam_ldap should use the configuration file in path instead of ldap.conf to retrieve its  global  configuration.  Configuring multiple instances of pam_ldap for the same service with different configuration files is not supported, because the configuration information is cached.


Why i need the NSS-LDAP Module for authenticate?