I need to understand how LDAP user authentication works since I need to put password restrictions on the users but am not able to get it working correctly

Came through this link which says that LDAP(pam_ldap) always use binding as authentication and never reads userPassword. That is only read by nss_ldap

http://osdir.com/ml/ldap.padl.pam-ld.../msg00011.html

pam_ldap and nss_ldap work differently ?

If that is the case, if I have allowed anonymous binding on my LDAP server, should not I be able to login (ssh) into my machines with any valid user name and blank password (if I have pam for system-auth setup correctly)

Also, with any blank username and blank passwords ??
This link also talks about 'anonymous simple authentication'
https://www.opends.org/wiki/page/Def...PBindOperation

Adding allow_anon_cred and allow_anon_dn in slapd.conf should be enuf or I need to do something extra

Any help would be extremely helpful. Let me know your views/ideas about nsswitch and PAM settings

If I understand your question correctly i think that you are talking about ACLs when you say "anonymous bind". That just means that someone who authenticates as anonymous can read/write your directory based on the ACL you configure.

Setting up password restriction in openldap requires including the ppolicy module and also creating a check Password module that is called by pwdCheckModule as well as the pwdCheckQuality attribute requiring the check.

I find it easier to use Pam in a semi controllable environment.