unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (Debian-5.0)
Page:
Section:
Apropos / Subsearch:
optional field

pam_ldap(5)                   File Formats Manual                  pam_ldap(5)



NAME
       pam_ldap - LDAP pluggable authentication module

DESCRIPTION
       The  pam_ldap  module  is a Pluggable Authentication Module (PAM) which
       provides  for  authentication,  authorization  and  password   changing
       against LDAP servers.

       Features  of  the  PADL  pam_ldap  module include support for transport
       layer security, SASL authentication, directory server-enforced password
       policy, and host- and group- based logon authorization.

       The present version of pam_ldap supports AIX 5L, FreeBSD 3.x and above,
       HP-UX 11i, IRIX 6.x, Linux, Mac OS X 10.2 and above,  and  Solaris  2.6
       and   above.   Many  vendors  provide  their  own  LDAP  authentication
       providers, often also called pam_ldap.  This manual page applies to the
       PADL  pam_ldap  module only. If you are using a vendor provided module,
       consult the relevant documentation instead.

       When authenticating or authorizing a  user,  pam_ldap  first  maps  the
       user's  login  name  to a distinguished name by searching the directory
       server. This must be possible using the local system's identity, speci-
       fied  in pam_ldap.conf. (Note that presently only simple authentication
       is supported for authenticating in this initial step.)

       To authenticate a user, pam_ldap attempts  to  bind  to  the  directory
       server using the distinguished name of the user (retrieved previously).
       Both simple and SASL authentication mechanisms are  supported;  in  the
       former  case, one should take care to use transport security to prevent
       the user's password being transmitted in the clear.

       A variety of authorization primitives are supported by  pam_ldap,  dis-
       cussed in the configuration section below.

       Finally,  pam_ldap  supports a number of password change protocols used
       by directory servers from various vendors. (Some directory servers sup-
       port more than one password change protocol.)

       Whilst  pam_ldap is generally configured in the system LDAP naming con-
       figuration file (pam_ldap.conf), some options can be configured in  the
       PAM  configuration  file,  to  allow for per-service granularity. These
       options include the path to the LDAP naming configuration file to  use,
       so  in  effect  all  options  can be configured on a per-service basis.
       Options are listed below under PAM Configuration.

CONFIGURATION
       pam_ldap stores its configuration in the pam_ldap.conf file. (It should
       be  noted that some LDAP client libraries, such as OpenLDAP, also use a
       configuration file of the same name.  pam_ldap  supports  many  of  the
       same  configuration  file options as OpenLDAP, but it adds several that
       are specific to the functionality it provides.  It  is  not  guaranteed
       that  pam_ldap  will continue to match the configuration file semantics
       of OpenLDAP.  You may wish to use different files.)

       Configuration file options consist of a keyword followed by a space and
       any arguments. The following options are supported by both pam_ldap and
       the PADL nss_ldap module:

       host <&lt;name:port ...>&gt;
              Specifies the name(s) or IP address(es) of the LDAP server(s) to
              connect to. In the case that nss_ldap is used for host name res-
              olution, each server should be specified as  an  IP  address  or
              name  that can be resolved without using LDAP.  Multiple servers
              may be specified, each separated by a space.  The failover  time
              depends on whether the LDAP client library supports configurable
              network or connect timeouts (see bind_timelimit below).

       base <&lt;base>&gt;
              Specifies the default base distinguished name (DN)  to  use  for
              searches.

       uri <&lt;ldap[is]://[name[:port]] ...>&gt;
              For  LDAP client libraries that support it, specifies the URI(s)
              of the LDAP server(s) to connect to. The URI scheme may be ldap,
              ldapi,  or  ldaps, specifying LDAP over TCP, IPC and SSL respec-
              tively. If applicable, a  port  number  can  be  specified;  the
              default  port  number for the selected protocol is used if omit-
              ted. This option takes precedence over the host  option;  it  is
              not possible to combine the two.

       ldap_version <&lt;version>&gt;
              Specifies  the  version  of  the LDAP protocol to use. Presently
              version must be 2 or 3. The default is to use the  maximum  ver-
              sion supported by the client library.

       binddn <&lt;binddn>&gt;
              Specifies  the  distinguished  name  with  which  to bind to the
              directory server(s). This option is optional; the default is  to
              bind anonymously.

       bindpw <&lt;bindpw>&gt;
              Specifies  the  cleartext  credentials  with which to bind. This
              option is only applicable  when  used  with  binddn  above.  The
              default  is  no credential (anonymous bind). When binding to the
              directory using SASL or other  authentication  mechanisms  apart
              from simple binds, this option is not used.

       rootbinddn <&lt;binddn>&gt;
              This  option has the same syntax and effect as the binddn option
              above, except it applies when the effective user ID is zero.  If
              not  specified,  then  the  identity specified in binddn is used
              instead. Because the configuration file may be readable by  many
              users,   the   root  bind  DN  credentials  are  stored  in  the
              pam_ldap.secret file instead. This file is usually in  the  same
              directory as the configuration file.

       port <&lt;port>&gt;
              Specifies  the  port to connect to; this option is used with the
              host option, and is ignored with the uri option.

       scope <&lt;sub|one|base>&gt;
              Specifies the search scope (subtree, one level or base  object).
              The  default scope is subtree; base scope is almost never useful
              for nameservice lookups.

       deref <&lt;never|searching|finding|always>&gt;
              Specifies the policy for dereferencing aliases. The default pol-
              icy is to never dereference aliases.

       timelimit <&lt;timelimit>&gt;
              Specifies  the  time  limit  (in seconds) to use when performing
              searches. A value of zero (0), which is the default, is to  wait
              indefinitely for searches to be completed.

       bind_timelimit <&lt;timelimit>&gt;
              Specifies  the time limit (in seconds) to use when connecting to
              the directory server. This is distinct from the time limit spec-
              ified  in  timelimit  and  affects the initial server connection
              only. (Server connections are otherwise cached.) Only some  LDAP
              client  libraries have the underlying functionality necessary to
              support this option. The default bind timelimit is 30 seconds.

       referrals <&lt;yes|no>&gt;
              Specifies whether automatic referral chasing should be  enabled.
              The default behaviour is specifed by the LDAP client library.

       restart <&lt;yes|no>&gt;
              Specifies  whether  the  LDAP client library should restart the
              select(2) system call when interrupted. This feature is not sup-
              ported by all client libraries.

       logdir <&lt;directory>&gt;
              Specifies  the  directory  used  for  logging by the LDAP client
              library. This feature is not supported by all client libraries.

       debug <&lt;level>&gt;
              Specifies the debug level used for logging by  the  LDAP  client
              library.  This feature is not supported by all client libraries,
              and does not apply to the nss_ldap and  pam_ldap  modules  them-
              selves  (debugging, if any, is configured separately and usually
              at compile time).

       ssl <&lt;on|off|start_tls>&gt;
              Specifies whether to use SSL/TLS or not (the default is not to).
              If  start_tls is specified then StartTLS is used rather than raw
              LDAP over SSL.  Not all LDAP client libraries support  both  SSL
              and StartTLS, and all related configuration options.

       sslpath <&lt;cert7_path>&gt;
              For  the  Netscape  and Mozilla LDAP client libraries only, this
              specifies the path to the X.509 certificate database.

       tls_checkpeer <&lt;yes|no>&gt;
              Specifies whether to require and verify the  server  certificate
              or  not,  when  using  SSL/TLS with the OpenLDAP client library.
              The default is to  use  the  default  behaviour  of  the  client
              library;  for  OpenLDAP 2.0 and earlier it is "no", for OpenLDAP
              2.1 and later it is "yes". At least  one  of  tls_cacertdir  and
              tls_cacertfile is required if peer verification is enabled.

       tls_cacertdir <&lt;certificate_dir>&gt;
              Specifies  the  directory containing X.509 certificates for peer
              authentication.

       tls_cacertfile <&lt;certificate_file>&gt;
              Specifies the path to the X.509 certificate for peer authentica-
              tion.

       tls_randfile <&lt;entropy_file>&gt;
              Specifies the path to an entropy source.

       tls_ciphers <&lt;ciphers>&gt;
              Specifies  the  ciphers to use for TLS. See your TLS implementa-
              tion's documentation for further information.

       tls_cert <&lt;certificate_file>&gt;
              Specifies the path to the file containing the local  certificate
              for client TLS authentication.

       tls_key <&lt;key_file>&gt;
              Specifies  the  path  to the file containing the private key for
              client TLS authentication.

       The following configuration options apply to pam_ldap only:

       pam_login_attribute <&lt;attribute>&gt;
              Specifies the attribute to use when constructing  the  attribute
              value  assertion  for  retrieving a directory entry for a user's
              login name.  The default is "uid", for  compatibility  with  RFC
              2307.

       pam_filter <&lt;filter>&gt;
              Specifies  a filter to use when retrieving user information. The
              user  entry  must  match  the  attribute  value   assertion   of
              (pam_login_attribute=login_name) as well as any filter specified
              here. There is no default for this option.

       pam_lookup_policy <&lt;yes|no>&gt;
              Specifies whether to search the root DSE  for  password  policy.
              The default is "no".

       pam_check_host_attr <&lt;yes|no>&gt;
              Specifies  whether  the  "host"  attribute should be checked for
              logon authorization ("account" in the PAM stack). The default is
              not  to.  If set to "yes" and a user has no value for the "host"
              attribute, then the user will be unable to login.

       pam_check_service_attr <&lt;yes|no>&gt;
              Specifies whether the "authorizedService"  attribute  should  be
              checked  for  logon  authorization ("account" in the PAM stack).
              The default is not to. If set to "yes" and a user has  no  value
              for  the  "authorizedService"  attribute,  then the user will be
              unable to login.

       pam_groupdn <&lt;groupdn>&gt;
              Specifies the distinguished name of a group to which a user must
              belong for logon authorization to succeed.  pam_member_attribute
              <&lt;attribute>&gt; Specifies the attribute to use when testing a user's
              membership of a group specified in the pam_groupdn option.

       pam_min_uid <&lt;uid>&gt;
              If  specified,  a user must have a POSIX user ID of at least uid
              in order for logon authorization to succeed.

       pam_max_uid <&lt;uid>&gt;
              If specified, a user must have a POSIX user  ID  of  no  greater
              than uid in order for logon authorization to succeed.

       pam_template_login_attribute <&lt;attribute>&gt;
              When  using  template  users  (not supported by all PAM applica-
              tions), specifies the attribute  containing  the  user's  actual
              login  name.  The pam_ldap module will set PAM_USER to the value
              of this attribute if present in the user's entry,  otherwise  it
              defaults to the user specified in the pam_template_login option.

       pam_template_login <&lt;user>&gt;
              When  using  template  users  (not supported by all PAM applica-
              tions), pam_ldap will set PAM_USER to the value of  this  option
              if the user does not contain a template login attribute.

       pam_password <&lt;protocol>&gt;
              Specifies  the  password  change  protocol to use. The following
              protocols are supported:

              clear  Change password using an  LDAPModify  request,  replacing
                     the userPassword value with the new cleartext password.

              clear_remove_old
                     Change password using an LDAPModify request, first remov-
                     ing the userPassword value containing the  old  cleartext
                     password, and then adding the userPassword value with the
                     new cleartext password. This protocol  is  necessary  for
                     use with Novell NDS and IBM RACF.

              crypt  Change password using an LDAPModify request, first gener-
                     ating a one way hash of the new password  using  crypt(3)
                     and then replacing userPassword value with the new hashed
                     password.

              md5    Change password using an LDAPModify request, first gener-
                     ating  a  one  way hash of the new password using MD5 and
                     then replacing userPassword value  with  the  new  hashed
                     password.

              nds    This is an alias for clear_remove_old.

              racf   This is an alias for clear_remove_old.

              ad     Change  password  using  an LDAPModify request, using the
                     Active  Directory  Services  Interface  (ADSI)   password
                     change protocol.

              exop   Change  password  using  the  RFC  3062  password  modify
                     extended operation (only the new password is sent).

              exop_send_old
                     Change  password  using  the  RFC  3062  password  modify
                     extended  operation  (both  the old and new passwords are
                     sent).

       pam_password_prohibit_message <&lt;message>&gt;
              Specifies a message to send to users indicating  that  passwords
              cannot  be  changed.  This  could  be  used to redirect users to
              another means of changing passwords.

       pam_sasl_mech <&lt;mechanism>&gt;
              Specifies the SASL mechanism to use for PAM authentication. This
              requires SASL libraries be installed. Support for this function-
              ality presently experimental and does not support password  pol-
              icy controls.

PAM CONFIGURATION
       It  is  possible to configure some aspects of pam_ldap on a per-service
       basis, in the PAM configuration file (this  is  usually  /etc/pam.conf;
       for  PAM  implementations  based  on  Linux-PAM,  per-service  files in
       /etc/pam.d are also supported).

       The following options may be specified as  arguments  to  the  pam_ldap
       module:

       config=<&lt;path>&gt;
              Specifies  that  pam_ldap  should  use the configuration file in
              path instead of pam_ldap.conf to retrieve its global  configura-
              tion.  Configuring  multiple  instances of pam_ldap for the same
              service with different configuration  files  is  not  supported,
              because the configuration information is cached.

       use_first_pass
              Specifies  that  pam_ldap  should  always use the first password
              provided in the authentication stack.

       try_first_pass
              Specifies that pam_ldap should first try the first password pro-
              vided  in the authentication stack, and then prompt the user for
              their LDAP password if authentication fails.

       ignore_unknown_user
              Specifies that pam_ldap should return PAM_IGNORE for users  that
              are  not  present  in  LDAP.   This  forces the PAM framework to
              ignore the pam_ldap module. This option is useful where  certain
              accounts  do not reside in LDAP, but one wishes to make pam_ldap
              "required" for all accounts in the directory. In this  case  one
              would  make  both  pam_ldap  and  the other module (for example,
              pam_unix) "required" and enable the ignore_unknown_user  option.
              (For  this  to  work, the other module must behave similarly for
              users in the directory; in the case of a module such as pam_unix
              that uses the system accounts database, using nss_ldap(5) should
              be sufficient to meet this requirement.)

       ignore_authinfo_unavail
              Specifies that pam_ldap should return PAM_IGNORE  if  it  cannot
              contact the LDAP server. This option forces the PAM framework to
              ignore the pam_ldap module in this case.

       no_warn
              Specifies that warning messages should not be propagated to  the
              PAM application.

       use_authtok
              Analogous to use_first_pass for password changing only.

       debug  This option is recognized by pam_ldap but is presently ignored.

AUTHOR
       The   pam_ldap   module   was   developed  by  PADL  Software  Pty  Ltd
       (www.padl.com).

FILES
       /etc/pam_ldap.conf, /etc/pam_ldap.secret, /etc/pam.conf

SEE ALSO
       pam(8)



                                                                   pam_ldap(5)