unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

pam_ldap(5)           Standards, Environments, and Macros          pam_ldap(5)



NAME
       pam_ldap - authentication and account management PAM module for LDAP

SYNOPSIS
       /usr/lib/security/pam_ldap.so.1

DESCRIPTION
       The    pam_ldap    module    implements    pam_sm_authenticate()    and
       pam_sm_acct_mgmt(), the functions that provide  functionality  for  the
       PAM  authentication  and account management stacks. The pam_ldap module
       ties the authentication and account  management  functionality  to  the
       functionality  of  the  supporting  LDAP  server.  For  authentication,
       pam_ldap can authenticate the  user  directly  to  any  LDAP  directory
       server by using any supported authentication mechanism, such as DIGEST-
       MD5. However, the account management component of  pam_ldap  will  work
       only  with  the  Sun  Java  System  Directory Server. The server's user
       account management must be properly configured before it can be used by
       pam_ldap.  Refer to the Sun Java System Directory Server Administration
       Guide for information on how  to  configure  user  account  management,
       including password and account lockout policy.

       pam_ldap  must be used in conjunction with the modules that support the
       UNIX  authentication,  password,  and  account  management,  which  are
       pam_authtok_get(5),    pam_passwd_auth(5),   pam_unix_account(5),   and
       pam_unix_auth(5). pam_ldap is designed to  be  stacked  directly  below
       these modules. If other modules are designed to be stacked in this man-
       ner, the modules can be stacked below the pam_ldap module. The EXAMPLES
       section  shows  how  the  UNIX  modules are stacked with pam_ldap. When
       stacked together, the UNIX modules are used to control local  accounts,
       such  as  root.  pam_ldap is used to control network accounts, that is,
       LDAP users. For the stacks to  work,  pam_unix_auth,  pam_unix_account,
       and  pam_passwd_auth  must  be configured with the binding control flag
       and the server_policy option. This configuration allows  local  account
       override of a network account.

   LDAP Authentication Module
       The  LDAP  authentication  module  verifies the identity of a user. The
       pam_sm_authenticate(3PAM) function uses the  password  entered  by  the
       user  to attempt to authenticate to the LDAP server. If successful, the
       user is authenticated. See NOTES for information on password prompting.

       The authentication method used is either defined in the client  profile
       ,  or  the  authentication  method  is  configured  by  using the ldap-
       client(1M) command.  To determine the  authentication  method  to  use,
       this  module  first  attempts  to use the authentication method that is
       defined, for  service  pam_ldap,  for  example,  serviceAuthentication-
       Method:pam_ldap:sasl/DIGEST-MD5.   If   no   authentication  method  is
       defined, pam_ldap uses the default authentication  method.  If  neither
       are  set,  the  authentication  fails. This module skips the configured
       authentication method if the authentication method is set to none.

       The following options may be passed to the LDAP service module:

       debug

           syslog(3C) debugging information at LOG_DEBUG level.



       nowarn

           Turn off warning messages.



       These options are case sensitive, and the options must be used  exactly
       as presented here.

   LDAP Account Management Module
       The  LDAP  account  management module validates the user's account. The
       pam_sm_acct_mgmt(3PAM) function authenticates to  the  LDAP  server  to
       verify  that  the  user's  password has not expired, or that the user's
       account has not been locked. The following options may be passed to the
       LDAP service module:

       debug

           syslog(3C) debugging information at LOG_DEBUG level.



       nowarn

           Turn off warning messages.



       These  options are case sensitive, and the options must be used exactly
       as presented here.

   LDAP Password Management Module
       LDAP password management  is  no  longer  supported  by  pam_ldap.  Use
       pam_authtok_store(5) instead of pam_ldap for password change. pam_auth-
       tok_store(5) handles both the local and LDAP accounts and  updates  the
       passwords in all the repositories configured by nsswitch.conf(4).

ERRORS
       The authentication service returns the following error codes:

       PAM_SUCCESS             Authentication successful



       PAM_MAXTRIES            Maximum   number   of  authentication  attempts
                               exceeded



       PAM_AUTH_ERR            Authentication failure



       PAM_USER_UNKNOWN        No account present for user



       PAM_BUF_ERR             Memory buffer error



       PAM_SYSTEM_ERR          System error



       PAM_IGNORE              User's account inactivated



       The account management service returns the following error codes:

       PAM_SUCCESS             User allowed access to account



       PAM_NEW_AUTHTOK_REQD    New authentication token required



       PAM_ACCT_EXPIRED        User account has expired



       PAM_PERM_DENIED         User denied access to account at this time



       PAM_USER_UNKNOWN        No account present for user



       PAM_BUF_ERROR           Memory buffer error



       PAM_SYSTEM_ERR          System error



EXAMPLES
       Example 1: Using pam_ldap With Authentication

       The following is a configuration  for  the  login  service  when  using
       pam_ldap.  The  service  name  login  can  be substituted for any other
       authentication service such as dtlogin or su. Lines that begin with the
       # symbol are comments and are ignored.

       # Authentication management for login service is stacked.
       # If pam_unix_auth succeeds, pam_ldap is not invoked.
       # The control flag "binding" provides a local overriding
       # remote (LDAP) control. The "server_policy" option is used
       # to tell pam_unix_auth.so.1 to ignore the LDAP users.

       login   auth requisite  pam_authtok_get.so.1
       login   auth required   pam_dhkeys.so.1
       login   auth binding    pam_unix_auth.so.1 server_policy
       login   auth required   pam_ldap.so.1


       Example 2: Using pam_ldap With Account Management

       The  following  is  a  configuration  for account management when using
       pam_ldap. Lines that begin with the  #  symbol  are  comments  and  are
       ignored.

       # Account management for all services is stacked
       # If pam_unix_account succeeds, pam_ldap is not invoked.
       # The control flag "binding" provides a local overriding
       # remote (LDAP) control. The "server_policy" option is used
       # to tell pam_unix_account.so.1 to ignore the LDAP users.

       other   account  requisite      pam_roles.so.1
       other   account  required       pam_projects.so.1
       other   account  binding        pam_unix_account.so.1 server_policy
       other   account  required       pam_ldap.so.1


       Example  3:  Using  pam_authtok_store With Password Management For Both
       Local and LDAP Accounts

       The following is a configuration for  password  management  when  using
       pam_authtok_store.  Lines that begin with the # symbol are comments and
       are ignored.

       # Password management (authentication)
       # The control flag "binding" provides a local overriding
       # remote (LDAP) control. The server_policy option is used
       # to tell pam_passwd_auth.so.1 to ignore the LDAP users.

       passwd  auth binding  pam_passwd_auth.so.1 server_policy
       passwd  auth required pam_ldap.so.1

       # Password management (updates)
       # This updates passwords stored both in the local /etc
       # files and in the LDAP directory. The "server_policy"
       # option is used to tell pam_authtok_store to
       # follow the LDAP server's policy when updating
       # passwords stored in the LDAP directory

       other password required   pam_dhkeys.so.1
       other password requisite  pam_authtok_get.so.1
       other password requisite  pam_authtok_check.so.1
       other password required   pam_authtok_store.so.1 server_policy


FILES
       /var/ldap/ldap_client_file      The LDAP  configuration  files  of  the
       /var/ldap/ldap_client_cred      client.  Do  not  manually modify these
                                       files, as these files may not be  human
                                       readable.  Use ldapclient(1M) to update
                                       these files.




       /etc/pam.conf                   PAM configuration file.



ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).   ATTRIBUTE  TYPEATTRIBUTE  VALUE  MT-LevelMT-Safe  with
       exceptions Stability LevelEvolving


SEE ALSO
       ldap(1),   idsconfig(1M),   ldap_cachemgr(1M),   ldapclient(1M),   lib-
       pam(3LIB),    pam(3PAM),    pam_sm_authenticate(3PAM),   pam_sm_chauth-
       tok(3PAM),    pam_sm_close_session(3PAM),    pam_sm_open_session(3PAM),
       pam_sm_setcred(3PAM), syslog(3C), pam.conf(4), attributes(5), pam_auth-
       tok_check(5),         pam_authtok_get(5),         pam_authtok_store(5),
       pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5)

NOTES
       The  interfaces  in libpam(3LIB) are MT-Safe only if each thread within
       the multi-threaded application uses its own PAM handle.

       The previously supported use_first_pass and try_first_pass options  are
       obsolete  in  this version, are no longer needed, can safely be removed
       from pam.conf(4), and are silently ignored. They might be removed in  a
       future  release.  Password  prompting  must be provided for by stacking
       pam_authtok_get(5) before pam_ldap in  the  auth  and  password  module
       stacks  and  pam_passwd_auth(5)  in  the  passwd service auth stack (as
       described in the EXAMPLES section). The previously  supported  password
       update  function  is  replaced in this release by the previously recom-
       mended use of  pam_authtok_store  with  the  server_policy  option  (as
       described in the EXAMPLES section).

       The     functions:     pam_sm_setcred(3PAM),    pam_sm_chauthtok(3PAM),
       pam_sm_open_session(3PAM), and  pam_sm_close_session(3PAM)  do  nothing
       and return PAM_IGNORE in pam_ldap.



SunOS 5.10                        3 Jun 2004                       pam_ldap(5)