PAM and NSS configurations are defined to integrate in a Kerberos and LDAP directory test infrastructure. Disconnected mode and caching are supported. Test plans are also defined to make sure that the PAM/NSS integration is working as expected.

Release Note


LTS releases are used in corporate environments. Making sure that the user and group management processes are working correctly and integrates well in existing Identity management infrastructures improves the quality of an LTS release.

User stories


There are different options for configuring the pam and nss stack to support network identity services:

sssd (universe)

System Security Services Daemon is actively developed by Redhat. It's primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. It provides PAM and NSS modules, as well as D-BUS based interfaces. It provides also a better database to store local users as well as extended user data.

A 1.0 release is targeted for December 2009 / January 2010. sssd is already available in karmic from the universe component.

WI: package sssd 1.0: TODO

WI: add pam-auth-update support to libpam-sss: TODO

WI: test sssd in the Id test environment following the test plan: TODO

openldap cache proxy

Openldap is running on the local machine and serves as a caching proxy for nss and pam requests. pam-ccreds is used to cache credentials to support disconnected mode. The pcache overlay is setup to cache nss and pam queries with a ttr of 4 minutes and ttl of 8 minutes for testing purposes.

Multiple configurations exists:

  1. nss-ldap (main) + pam-krb5 (main)
  2. nss-ldap (main) + pam-ldap (main)
  3. nss-ldapd (universe) + pam-krb5 (main)
  4. nss-ldadp (universe) + pam-ldap (main)
  5. nss-ldapd (universe) + pam-ldapd (universe)

WI: move libpam-ccreds to main: TODO WI: define caching proxy overlay configuration (ldif file for cn=config) for nss and pam information (nss-ldap+pam-ldap config): TODO WI: test nss-ldap + pam-krb5 in the Id test environment following the test plan: TODO WI: test nss-ldap + pam-ldap in the Id test environment following the test plan: TODO

Test plan

Test commands

$ getent passwd testuser

$ getent group testgroup

$ sudo -l
$ sudo -K

Login at the console.

Test cases

  1. System is online.
    • First run of test commands generates ldap connections to the remote ldap server (to be checked on the remote slapd server via connections logging - loglevel 256).
    • Second run (within TTR) of test commands should not generate any ldap connections to the remote ldap server.
    • Third run (after TTL) of test commands should generate ldap connections to the remote ldap server.
  2. System goes offline (network connection to the ldap server is broken - iptables deny rules):
    • First run (within TTL) of test commands works as expected.
    • Second run (after TTL) of test commands should:
      • pam: fail with a error message stating the id infrastructure is not available - login denied - disconnected for too long.
      • nss: immediately return with empty groups and users
  3. password policies:
    • expiration warning (grace login)
    • password needs to be changed now.
    • account deactivated - login denied - password disabled
  4. password change:
    • in connected mode:
      • policy validation:
        • short password: failure with relevant info messages
        • password history reuse: failure with relevant info messages
        • all policies are valid: success
    • in disconnected mode: failure

WI: write up complete pam+nss components test instructions in QA testcase wiki: TODO

Testing kerberized services

WI: write up ssh/sftp test instructions in QA testcase wiki: TODO

WI: write up file services (cifs/nfsv4) test instructions in QA testcase wiki: TODO


See the Work Items in the blueprint.

Test/Demo Plan

Unresolved issues

BoF agenda and discussion

UDS session notes

Session 2 Goal

Making sure id mgmt client components are tested and working correctly in a reference identity environment based on openldap + MIT kerberos.

Testing login experience

1. SSSD update and testing. Integration with pam-auth-update (and auth-client-config). 2. openldap + pcache overlay testing + nss overlay (nss and pam module (universe) ). Integration with pam-auth-update (and auth-client-config):

**** 3. nss-ldap + pam_krb5 + pam_ccred + openldap + pcache (in main) 4. nss-ldap + pam_ldap + pam_ccred + openldap + pcache (in main)

pcache overlay options: time to keep the entrie in the cache: default 2 weeks. Tests:

Review SSSD test cases.

AD TTL for 2 weeks.

Testing kerberized services

Implementation plan


IdMgmtTestClientLogin (last edited 2010-02-23 00:05:43 by webwurst)