PAM_LDAP(7) | Standards, Environments, and Macros | PAM_LDAP(7) |
/usr/lib/security/pam_ldap.so.1
pam_ldap must be used in conjunction with the modules that support the UNIX authentication, password, and account management, which are pam_authtok_get(7), pam_passwd_auth(7), pam_unix_account(7), and pam_unix_auth(7). pam_ldap is designed to be stacked directly below these modules. If other modules are designed to be stacked in this manner, the modules can be stacked below the pam_ldap module. The Examples section shows how the UNIX modules are stacked with pam_ldap. When stacked together, the UNIX modules are used to control local accounts, such as root. pam_ldap is used to control network accounts, that is, LDAP users. For the stacks to work, pam_unix_auth, pam_unix_account, and pam_passwd_auth must be configured with the binding control flag and the server_policy option. This configuration allows local account override of a network account.
The authentication method used is either defined in the client profile , or the authentication method is configured by using the ldapclient(8) command. To determine the authentication method to use, this module first attempts to use the authentication method that is defined, for service pam_ldap, for example, serviceAuthenticationMethod:pam_ldap:sasl/DIGEST-MD5. If no authentication method is defined, pam_ldap uses the default authentication method. If neither are set, the authentication fails. This module skips the configured authentication method if the authentication method is set to none.
The following options can be passed to the LDAP service module:
debug
nowarn
These options are case sensitive and must be used exactly as presented here.
debug
nowarn
These options are case sensitive, and the options must be used exactly as presented here.
PAM_SUCCESS
PAM_MAXTRIES
PAM_AUTH_ERR
PAM_USER_UNKNOWN
PAM_BUF_ERR
PAM_SYSTEM_ERR
PAM_IGNORE
The account management service returns the following error codes:
PAM_SUCCESS
PAM_NEW_AUTHTOK_REQD
PAM_ACCT_EXPIRED
PAM_PERM_DENIED
PAM_USER_UNKNOWN
PAM_BUF_ERROR
PAM_SYSTEM_ERR
The following is a configuration for the login service when using pam_ldap. The service name login can be substituted for any other authentication service such as dtlogin or su. Lines that begin with the # symbol are comments and are ignored.
# Authentication management for login service is stacked. # If pam_unix_auth succeeds, pam_ldap is not invoked. # The control flag "binding" provides a local overriding # remote (LDAP) control. The "server_policy" option is used # to tell pam_unix_auth.so.1 to ignore the LDAP users. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth binding pam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1
Example 2 Using pam_ldap With Account Management
The following is a configuration for account management when using pam_ldap. Lines that begin with the # symbol are comments and are ignored.
# Account management for all services is stacked # If pam_unix_account succeeds, pam_ldap is not invoked. # The control flag "binding" provides a local overriding # remote (LDAP) control. The "server_policy" option is used # to tell pam_unix_account.so.1 to ignore the LDAP users. other account requisite pam_roles.so.1 other account binding pam_unix_account.so.1 server_policy other account required pam_ldap.so.1
Example 3 Using pam_authtok_store With Password Management For Both Local and LDAP Accounts
The following is a configuration for password management when using pam_authtok_store. Lines that begin with the # symbol are comments and are ignored.
# Password management (authentication) # The control flag "binding" provides a local overriding # remote (LDAP) control. The server_policy option is used # to tell pam_passwd_auth.so.1 to ignore the LDAP users. passwd auth binding pam_passwd_auth.so.1 server_policy passwd auth required pam_ldap.so.1 # Password management (updates) # This updates passwords stored both in the local /etc # files and in the LDAP directory. The "server_policy" # option is used to tell pam_authtok_store to # follow the LDAP server's policy when updating # passwords stored in the LDAP directory other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 server_policy
/etc/pam.conf
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
Interface Stability | Evolving |
MT-Level | MT-Safe with exceptions |
The previously supported use_first_pass and try_first_pass options are obsolete in this version, are no longer needed, can safely be removed from pam.conf(5), and are silently ignored. They might be removed in a future release. Password prompting must be provided for by stacking pam_authtok_get(7) before pam_ldap in the auth and password module stacks and pam_passwd_auth(7) in the passwd service auth stack (as described in the EXAMPLES section). The previously supported password update function is replaced in this release by the previously recommended use of pam_authtok_store with the server_policy option (as described in the EXAMPLES section).
The functions: pam_sm_setcred(3PAM), pam_sm_chauthtok(3PAM), pam_sm_open_session(3PAM), and pam_sm_close_session(3PAM) do nothing and return PAM_IGNORE in pam_ldap.
December 21, 2005 | OmniOS |