PAM/LDAP distinct users sets for httpd <-> system auth

[Jed Donnelley]

In discussions here and elsewhere I've found some additional focus on the 
problem
I'm facing with PAM/LDAP.

I have two interfaces, httpd and system authentication, that I want to have
distinct sets of users visible to authenticate to.  In my case it happens that
the system authentication set is a subset of the httpd set.  I have a large
set of computer center users (~3k) that I want to be able to be known as users
and be able to authenticate to httpd with their LDAP userids and passwords,
groups, etc..  I have a much smaller set of Web developers (10s or so) that I
want to be able to have shell/system authentication to login to the Web server
system, but also with their LDAP passwords.

What it seems to come down to is that to get PAM/LDAP to know about the
larger set of center users in the LDAP database I need to include:

passwd:    files ldap

in my nsswitch.conf file.  Having done so it appears to force my
hand on shell/login authentication in that all the LDAP users become
visible as if they had an entry in the /etc/passwd file.

I know that if I use mod_auth_ldap for my httpd authentication, I can
set things up so that my larger set of users are visible to httpd
authentication and then I can specify:

passwd:    files

in my nsswitch.conf file and let PAM manage my system authentication
to the subset.

I realize that I can also specify a system specific subset of users in
LDAP that will allow me to authenticate just that subset with PAM for
shell/login authentication.  However, what I don't know how to do is
to specify such a subset to PAM/LDAP for system authentication
while using the much larger set for httpd authentication.

--Jed http://www.nersc.gov/~jed/