pam_ldap(5)
NAME
pam_ldap - authentication, account, and password management
PAM module for LDAP
SYNOPSIS
/usr/lib/security/pam_ldap.so.1
DESCRIPTION
The pam_ldap module implements pam_sm_authenticate,
pam_sm_setcred, pam_sm_acct_mgmt, and pam_sm_chauthtok, the
functions that provide functionality for the PAM authentica-
tion, account management and password management stacks. The
pam_ldap module ties the authentication, account management
and password change functionality to the functionality of
the supporting LDAP server. For authentication, pam_ldap can
authenticate the user directly to any LDAP directory server
by using any supported authentication mechanism, such as
DIGEST-MD5. However, the account management and password
change components of pam_ldap will only work with the bun-
dled Sun ONE Directory Server. The Sun ONE Directory Server
user account management, that is, password and account
lockout policy, must be properly configured on the server
before it can be used by pam_ldap to provide the
account management, password aging, and password syntax
checking controls. Refer to the Sun ONE Directory Server
Administrator's Guide that is cited in the NOTES section.
pam_ldap must be used in conjunction with the modules that
support the UNIX authentication, password, and account
management., which are pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5),
pam_passwd_auth(5), pam_unix_account(5), and
pam_unix_auth(5). pam_ldap is designed to be stacked
directly below these modules. If other modules are
designed to be stacked in this manner, the modules can be
stacked below the pam_ldap module. The EXAMPLES section
shows how the UNIX modules are stacked with pam_ldap. When
stacked together, the UNIX modules are used to control local
accounts, such as root. pam_ldap is used for control with
the network accounts, that is, LDAP users. For the stacks to
work, pam_unix_auth, pam_unix_account, pam_passwd_auth, and
pam_authtok_store must to configured with the binding con-
trol flag and the server_policy option. This configuration
allows local account override of a network account.
LDAP Authentication Module
The LDAP authentication module verifies the identity of a
user. The pam_sm_authenticate function uses the password
entered by the user to attempt to authenticate to the LDAP
server. If successful, the user is authenticated.
The authentication method used is either defined in the
client profile , or the authentication method is configured
by using the ldapclient(1M) command. To determine the
authentication method to use, this module first attempts to
use the authentication method that is defined, for service
pam_ldap, for example,
serviceAuthenticationMethod:pam_ldap:sasl/DIGEST-MD5. If no
authentication method is defined, pam_ldap uses the default
authentication method. If neither are set, the authentica-
tion fails. This module skips the configured authentication
method if the authentication method is set to none.
The pam_sm_setcred(3PAM) function does nothing. This func-
tion always returns PAM_IGNORE.
The following options may be passed to the LDAP service
module:
debug syslog(3C) debugging information at LOG_DEBUG level.
nowarn
Turn off warning messages.
These options are case sensitive, and the options must be
used exactly as presented here.
LDAP Account Management Module
The LDAP account management module validates the user's
account. The pam_sm_acct_mgmt(3PAM) function authenticates
to the LDAP server to verify that the user's password has
not expired, or that the user's account has not been locked.
The following options may be passed to the LDAP service
module:
debug syslog(3C) debugging information at LOG_DEBUG level.
nowarn
Turn off warning messages.
These options are case sensitive, and the options must be
used exactly as presented here.
LDAP Password Management Module
The preferred way to configure password management for LDAP
is by using the pam_authtok_store(5) module and by specify
ing the server_policy option. Use the pam_authtok_store
function instead of pam_ldap for password change. When
password management is configured this way, both the local
and LDAP accounts are handled. pam_authtok_store(5) updates
the passwords in all the repositories configured by
nsswitch.conf(4). pam_ldap updates only the password in the
LDAP password database.
The LDAP password management module provides the
pam_sm_chauthtok() function to change passwords in the LDAP
database.
The following options may be passed to the LDAP service
module:
debug syslog(3C) debugging information at LOG_DEBUG level.
nowarn
Turn off warning messages.
These options are case sensitive , and the options must be
used exactly as presented here.
ERRORS
The authentication service returns the following error
codes:
PAM_SUCCESS
Authentication successful
PAM_MAXTRIES
Maximum number of authentication attempts exceeded
PAM_AUTH_ERR
Authentication failure
PAM_USER_UNKNOWN
No account present for user
PAM_BUF_ERR
Memory buffer error
PAM_SYSTEM_ERR
System error
The account management service returns the following error
codes:
PAM_SUCCESS
User allowed access to account
PAM_NEW_AUTHTOK_REQD
New authentication token required
PAM_ACCT_EXPIRED
User account has expired
PAM_PERM_DENIED
User denied access to account at this time
PAM_USER_UNKNOWN
No account present for user
PAM_BUF_ERROR
Memory buffer error
PAM_SYSTEM_ERR
System error
The password management service returns the following
values:
PAM_SUCCESS
Successfully updates authentication token
PAM_PERM_DENIED
No permission to update authentication token
PAM_AUTHTOK_ERR
Authentication token manipulation error
PAM_USER_UNKNOWN
No account present for user
PAM_BUF_ERR
Memory buffer error
PAM_SYSTEM_ERR
System error
EXAMPLES
Example 1: Using pam_ldap With Authentication
The following is a configuration for the login service when
using pam_ldap. The service name login can be substituted
for any other authentication service such as dtlogin or su.
Lines that begin with the # symbol are comments, and these
lines ignored.
# Authentication management for login service is stacked.
# If pam_unix_auth succeeds, pam_ldap is not invoked.
# The control flag "binding" provides a local overriding
# remote (LDAP) control. The "server_policy" option is used
# to tell pam_unix_auth.so.1 to ignore the LDAP users.
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
Example 2: Using pam_ldap With Account Management
The following is a configuration for account management when
using pam_ldap. Lines that begin with the # symbol are
ignored.
# Account management for all services is stacked
# If pam_unix_account succeeds, pam_ldap is not invoked.
# The control flag "binding" provides a local overriding
# remote (LDAP) control. The "server_policy" option is used
# to tell pam_unix_account.so.1 to ignore the LDAP users.
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
Example 3: Using pam_authtok_store With Password Management
For Both Local and LDAP Accounts
The following is a configuration for password management
when using pam_authtok_store instead of pam_ldap. This con-
figuration works because pam_authtok_store updates password
in all the repositories configured by nsswitch.conf(4).
Lines that begin with the # symbol are comments , and the
lines are ignored.
# Password management (authentication)
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# Password management (updates)
# This is the preferred stack, since it updates
# passwords stored both in the local /etc files and
# in the LDAP directory. The "server_policy"
# option is used to tell pam_authtok_store to
# follow the LDAP server's policy when updating
# passwords stored in the LDAP directory
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
Example 4: Using pam_ldap With Password Management if There
are no Local Accounts
Use the following configuration for password management when
using pam_ldap. Lines that begin with the # symbol are com-
ments, and athe comments are ignored.
# Password management (authentication)
# The control flag "binding" provides a local overriding
# remote (LDAP) control. The server_policy option is used
# to tell pam_passwd_auth.so.1 to ignore the LDAP users.
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# Password management (updates)
# This stack is limited to updating password stored in the
# LDAP directory. The preferred method is shown in Example 3.
other password required pam_ldap.so.1
FILES
/var/ldap/ldap_client_file
/var/ldap/ldap_client_cred
The LDAP configuration files of the client. Do not
manually modify these files, as these files may not be
human readable. Use ldapclient(1M) to update these
files.
/etc/pam.conf
PAM configuration file.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| MT-Level | MT-Safe with exceptions |
|_____________________________|_____________________________|
| Stability Level | Evolving |
|_____________________________|_____________________________|
SEE ALSO
ldap(1), idsconfig(1M), ldap_cachemgr(1M), ldapclient(1M),
libpam(3LIB), pam(3PAM), pam_sm_authenticate(3PAM),
pam_sm_chauthtok(3PAM), pam_sm_setcred(3PAM), syslog(3C),
pam.conf(4), attributes(5), pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5),
pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5)
NOTES
The interfaces in libpam(3LIB) are MT-Safe only if each
thread within the multi-threaded application uses its own
PAM handle.
For information on how to configure the user account manage-
ment, including password and account lockout policy for the
bundled Sun ONE Directory Server, please browse the html
file /usr/iplanet/ds5/manual/en/slapd/ag/password.htm.
Man(1) output converted with
man2html