unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.9)
Page:
Section:
Apropos / Subsearch:
optional field



Standards, Environments, and Macros                   pam_ldap(5)



NAME
     pam_ldap - authentication, account, and password  management
     PAM module for LDAP

SYNOPSIS
     /usr/lib/security/pam_ldap.so.1

DESCRIPTION
     The   pam_ldap   module   implements    pam_sm_authenticate,
     pam_sm_setcred,  pam_sm_acct_mgmt, and pam_sm_chauthtok, the
     functions that provide functionality for the PAM authentica-
     tion, account management and password management stacks. The
     pam_ldap module ties the authentication, account  management
     and  password  change  functionality to the functionality of
     the supporting LDAP server. For authentication, pam_ldap can
     authenticate  the user directly to any LDAP directory server
     by using any supported  authentication  mechanism,  such  as
     DIGEST-MD5.   However,  the  account management and password
     change components of pam_ldap will only  work with the  bun-
     dled Sun ONE Directory Server. The  Sun ONE Directory Server
     user account  management,  that  is,  password  and  account
     lockout  policy,  must  be properly configured on the server
     before  it  can  be   used  by  pam_ldap  to   provide   the
     account  management,  password  aging, and  password  syntax
     checking controls. Refer to the  Sun  ONE  Directory  Server
     Administrator's Guide that is cited in the NOTES section.

     pam_ldap must be used in  conjunction with the modules  that
     support  the  UNIX  authentication,   password,  and account
     management.,      which      are       pam_authtok_check(5),
     pam_authtok_get(5),                    pam_authtok_store(5),
     pam_passwd_auth(5),         pam_unix_account(5),         and
     pam_unix_auth(5).   pam_ldap   is  designed  to  be  stacked
     directly  below  these   modules.   If  other  modules   are
     designed  to  be stacked in this manner, the modules  can be
     stacked below the pam_ldap  module.   The  EXAMPLES  section
     shows  how the UNIX modules are stacked with pam_ldap.  When
     stacked together, the UNIX modules are used to control local
     accounts,  such  as root.  pam_ldap is used for control with
     the network accounts, that is, LDAP users. For the stacks to
     work,  pam_unix_auth, pam_unix_account, pam_passwd_auth, and
     pam_authtok_store must to configured with the  binding  con-
     trol  flag and the server_policy option.  This configuration
     allows local account override of a network account.

  LDAP Authentication Module
     The LDAP authentication module verifies the  identity  of  a
     user.  The  pam_sm_authenticate  function  uses the password
     entered by the user to  attempt to authenticate to the  LDAP
     server. If successful, the user is authenticated.





SunOS 5.9           Last change: 21 Jan 2003                    1






Standards, Environments, and Macros                   pam_ldap(5)



     The authentication method used  is  either  defined  in  the
     client  profile , or the authentication method is configured
     by using  the  ldapclient(1M)  command.   To  determine  the
     authentication  method to use, this module first attempts to
     use the authentication method that is defined,  for  service
     pam_ldap,                    for                    example,
     serviceAuthenticationMethod:pam_ldap:sasl/DIGEST-MD5. If  no
     authentication method is defined,  pam_ldap uses the default
     authentication method. If neither are set,  the  authentica-
     tion  fails. This module skips the configured authentication
     method if the authentication method is set to none.

     The pam_sm_setcred(3PAM) function does nothing.  This  func-
     tion always returns PAM_IGNORE.

     The following options may be  passed  to  the  LDAP  service
     module:

     debug syslog(3C) debugging information at LOG_DEBUG level.

     nowarn
           Turn off warning messages.

     These options are case sensitive,  and the options  must  be
     used exactly as presented here.

  LDAP Account Management Module
     The LDAP account  management  module  validates  the  user's
     account.   The pam_sm_acct_mgmt(3PAM) function authenticates
     to the LDAP server to verify that the  user's  password  has
     not expired, or that the user's account has not been locked.
     The following options may be  passed  to  the  LDAP  service
     module:

     debug syslog(3C) debugging information at LOG_DEBUG level.

     nowarn
           Turn off warning messages.

     These options are case sensitive,  and the options  must  be
     used exactly as presented here.

  LDAP Password Management Module
     The preferred way to configure password management for  LDAP
     is  by using the pam_authtok_store(5) module and by  specify
     ing the  server_policy  option.  Use  the  pam_authtok_store
     function   instead  of  pam_ldap  for  password change. When
     password management is configured this way, both  the  local
     and  LDAP accounts are handled. pam_authtok_store(5) updates
     the  passwords  in  all  the  repositories   configured   by
     nsswitch.conf(4).  pam_ldap updates only the password in the
     LDAP password database.



SunOS 5.9           Last change: 21 Jan 2003                    2






Standards, Environments, and Macros                   pam_ldap(5)



     The   LDAP   password   management   module   provides   the
     pam_sm_chauthtok()  function to change passwords in the LDAP
     database.

     The following options may be  passed  to  the  LDAP  service
     module:

     debug syslog(3C) debugging information at LOG_DEBUG level.

     nowarn
           Turn off warning messages.

     These options are case sensitive , and the options  must  be
     used exactly as presented here.

ERRORS
     The  authentication  service  returns  the  following  error
     codes:

     PAM_SUCCESS
           Authentication successful

     PAM_MAXTRIES
           Maximum number of authentication attempts exceeded

     PAM_AUTH_ERR
           Authentication failure

     PAM_USER_UNKNOWN
           No account present for user

     PAM_BUF_ERR
           Memory buffer error

     PAM_SYSTEM_ERR
           System error

     The account management service returns the  following  error
     codes:

     PAM_SUCCESS
           User allowed access to account

     PAM_NEW_AUTHTOK_REQD
           New authentication token required

     PAM_ACCT_EXPIRED
           User account has expired

     PAM_PERM_DENIED
           User denied access to account at this time




SunOS 5.9           Last change: 21 Jan 2003                    3






Standards, Environments, and Macros                   pam_ldap(5)



     PAM_USER_UNKNOWN
           No account present for user

     PAM_BUF_ERROR
           Memory buffer error

     PAM_SYSTEM_ERR
           System error

     The  password  management  service  returns  the   following
     values:

     PAM_SUCCESS
           Successfully updates authentication token

     PAM_PERM_DENIED
           No permission to update authentication token

     PAM_AUTHTOK_ERR
           Authentication token manipulation error

     PAM_USER_UNKNOWN
           No account present for user

     PAM_BUF_ERR
           Memory buffer error

     PAM_SYSTEM_ERR
           System error

EXAMPLES
     Example 1: Using pam_ldap With Authentication

     The following is a configuration for the login service  when
     using  pam_ldap.  The  service name login can be substituted
     for any other authentication service such as dtlogin or  su.
     Lines  that  begin with the # symbol are comments, and these
     lines  ignored.

     # Authentication management for login service is stacked.
     # If pam_unix_auth succeeds, pam_ldap is not invoked.
     # The control flag "binding" provides a local overriding
     # remote (LDAP) control.  The "server_policy" option is used
     # to tell pam_unix_auth.so.1 to ignore the LDAP users.

     login   auth requisite  pam_authtok_get.so.1
     login   auth required   pam_dhkeys.so.1
     login   auth binding    pam_unix_auth.so.1 server_policy
     login   auth required   pam_ldap.so.1

     Example 2: Using pam_ldap With Account Management




SunOS 5.9           Last change: 21 Jan 2003                    4






Standards, Environments, and Macros                   pam_ldap(5)



     The following is a configuration for account management when
     using  pam_ldap.  Lines  that  begin  with  the # symbol are
     ignored.

     # Account management for all services is stacked
     # If pam_unix_account succeeds, pam_ldap is not invoked.
     # The control flag "binding" provides a local overriding
     # remote (LDAP) control.  The "server_policy" option is used
     # to tell pam_unix_account.so.1 to ignore the LDAP users.

     other   account  requisite      pam_roles.so.1
     other   account  required       pam_projects.so.1
     other   account  binding        pam_unix_account.so.1 server_policy
     other   account  required       pam_ldap.so.1


     Example 3: Using pam_authtok_store With Password  Management
     For Both Local and LDAP Accounts

     The following is a  configuration  for  password  management
     when  using pam_authtok_store instead of pam_ldap. This con-
     figuration works because pam_authtok_store updates  password
     in  all  the  repositories  configured  by nsswitch.conf(4).
     Lines that begin with the # symbol are comments  ,  and  the
     lines are ignored.

     # Password management (authentication)
     passwd  auth binding  pam_passwd_auth.so.1 server_policy
     passwd  auth required pam_ldap.so.1

     # Password management (updates)
     # This is the preferred stack, since it updates
     # passwords stored both in the local /etc files and
     # in the LDAP directory.  The "server_policy"
     # option is used to tell pam_authtok_store to
     # follow the LDAP server's policy when updating
     # passwords stored in the LDAP directory

     other password required   pam_dhkeys.so.1
     other password requisite  pam_authtok_get.so.1
     other password requisite  pam_authtok_check.so.1
     other password required   pam_authtok_store.so.1 server_policy


     Example 4: Using pam_ldap With Password Management if  There
     are no Local Accounts

     Use the following configuration for password management when
     using  pam_ldap. Lines that begin with the # symbol are com-
     ments, and athe comments are ignored.





SunOS 5.9           Last change: 21 Jan 2003                    5






Standards, Environments, and Macros                   pam_ldap(5)



     # Password management (authentication)
     # The control flag "binding" provides a local overriding
     # remote (LDAP) control.  The server_policy option is used
     # to tell pam_passwd_auth.so.1 to ignore the LDAP users.

     passwd  auth binding  pam_passwd_auth.so.1 server_policy
     passwd  auth required pam_ldap.so.1

     # Password management (updates)
     # This stack is limited to updating password stored in the
     # LDAP directory.  The preferred method is shown in Example 3.

     other password required  pam_ldap.so.1


FILES
     /var/ldap/ldap_client_file

     /var/ldap/ldap_client_cred
           The LDAP configuration files of  the  client.  Do  not
           manually modify these files, as these files may not be
           human readable. Use  ldapclient(1M)  to  update  these
           files.

     /etc/pam.conf
           PAM configuration file.

ATTRIBUTES
     See attributes(5)  for descriptions of the following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | MT-Level                    | MT-Safe with exceptions     |
    |_____________________________|_____________________________|
    | Stability Level             | Evolving                    |
    |_____________________________|_____________________________|


SEE ALSO
     ldap(1), idsconfig(1M),  ldap_cachemgr(1M),  ldapclient(1M),
     libpam(3LIB),      pam(3PAM),     pam_sm_authenticate(3PAM),
     pam_sm_chauthtok(3PAM),  pam_sm_setcred(3PAM),   syslog(3C),
     pam.conf(4),       attributes(5),      pam_authtok_check(5),
     pam_authtok_get(5),                    pam_authtok_store(5),
     pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5)

NOTES
     The interfaces in libpam(3LIB)  are  MT-Safe  only  if  each
     thread  within  the  multi-threaded application uses its own
     PAM handle.



SunOS 5.9           Last change: 21 Jan 2003                    6






Standards, Environments, and Macros                   pam_ldap(5)



     For information on how to configure the user account manage-
     ment,  including password and account lockout policy for the
     bundled Sun ONE Directory Server,  please  browse  the  html
     file /usr/iplanet/ds5/manual/en/slapd/ag/password.htm.



















































SunOS 5.9           Last change: 21 Jan 2003                    7