Home Man
Search
Today's Posts
Register

Linux & Unix Commands - Search Man Pages

OpenSolaris 2009.06 - man page for pam_ldap (opensolaris section 5)

pam_ldap(5)		       Standards, Environments, and Macros		      pam_ldap(5)

NAME
       pam_ldap - authentication and account management PAM module for LDAP

SYNOPSIS
       /usr/lib/security/pam_ldap.so.1

DESCRIPTION
       The  pam_ldap  module implements pam_sm_authenticate(3PAM) and pam_sm_acct_mgmt(3PAM), the
       functions that provide functionality for the PAM  authentication  and  account  management
       stacks.	The  pam_ldap module ties the authentication and account management functionality
       to the functionality of the supporting  LDAP  server.  For  authentication,  pam_ldap  can
       authenticate the user directly to any LDAP directory server by using any supported authen-
       tication mechanism, such as DIGEST-MD5.	However,  the  account	management  component  of
       pam_ldap  will  work  only  with  the  Sun Java System Directory Server. The server's user
       account management must be properly configured before it can be used by pam_ldap. Refer to
       the  Sun  Java System Directory Server Administration Guide for information on how to con-
       figure user account management, including password and account lockout policy.

       pam_ldap must be used in conjunction with the modules that support  the	UNIX  authentica-
       tion,  password, and account management, which are pam_authtok_get(5), pam_passwd_auth(5),
       pam_unix_account(5), and pam_unix_auth(5). pam_ldap is designed	to  be	stacked  directly
       below  these modules. If other modules are designed to be stacked in this manner, the mod-
       ules can be stacked below the pam_ldap module. The Examples section  shows  how	the  UNIX
       modules	are  stacked  with  pam_ldap. When stacked together, the UNIX modules are used to
       control local accounts, such as root. pam_ldap is used to control network  accounts,  that
       is,   LDAP   users.   For   the	stacks	to  work,  pam_unix_auth,  pam_unix_account,  and
       pam_passwd_auth must be configured with the binding control  flag  and  the  server_policy
       option. This configuration allows local account override of a network account.

   LDAP Authentication Module
       The  LDAP  authentication  module  verifies  the  identity of a user. The pam_sm_authenti-
       cate(3PAM) function uses the password entered by the user to attempt  to  authenticate  to
       the  LDAP  server.  If successful, the user is authenticated. See NOTES for information on
       password prompting.

       The authentication method used is either defined in the client profile , or the	authenti-
       cation  method is configured by using the ldapclient(1M) command. To determine the authen-
       tication method to use, this module first attempts to use the authentication  method  that
       is    defined,	 for	service    pam_ldap,	for    example,    serviceAuthentication-
       Method:pam_ldap:sasl/DIGEST-MD5. If no authentication method is defined, pam_ldap uses the
       default	authentication	method. If neither are set, the authentication fails. This module
       skips the configured authentication method if the authentication method is set to none.

       The following options can be passed to the LDAP service module:

       debug	 syslog(3C) debugging information at LOG_DEBUG level.

       nowarn	 Turn off warning messages.

       These options are case sensitive and must be used exactly as presented here.

   LDAP Account Management Module
       The   LDAP   account   management   module   validates	 the	user's	  account.    The
       pam_sm_acct_mgmt(3PAM) function authenticates to the LDAP server to verify that the user's
       password has not expired, or that the user's account has not been  locked.  In  the  event
       that    there   is   no	 user	authentication	 token	 (PAM_AUTHTOK)	 available,   the
       pam_sm_acct_mgmt(3PAM) function attempts to retrieve the  user's  account  status  without
       authenticating to the LDAP server as the user logging in. This procedure will succeed only
       if the LDAP server is Sun Java System Directory server 5.2 patch 4 or newer. The following
       options can be passed to the LDAP service module:

       debug	 syslog(3C) debugging information at LOG_DEBUG level.

       nowarn	 Turn off warning messages.

       These options are case sensitive, and the options must be used exactly as presented here.

   LDAP Password Management Module
       LDAP  password  management  is  no  longer supported by pam_ldap. Use pam_authtok_store(5)
       instead of pam_ldap for password change. pam_authtok_store(5) handles both the  local  and
       LDAP  accounts  and  updates  the  passwords  in  all  the repositories configured by nss-
       witch.conf(4).

ERRORS
       The authentication service returns the following error codes:

       PAM_SUCCESS	   The uthentication was successful.

       PAM_MAXTRIES	   The maximum number of authentication attempts was exceeded.

       PAM_AUTH_ERR	   The authentication failed.

       PAM_USER_UNKNOWN    No account is present for the user.

       PAM_BUF_ERR	   A memory buffer error occurred.

       PAM_SYSTEM_ERR	   A system error occurred.

       PAM_IGNORE	   The user's account was inactivated.

       The account management service returns the following error codes:

       PAM_SUCCESS	       The user was allowed access to the account.

       PAM_NEW_AUTHTOK_REQD    A new authentication token is required.

       PAM_ACCT_EXPIRED        The user account has expired.

       PAM_PERM_DENIED	       The user was denied access to the account at this time.

       PAM_USER_UNKNOWN        No account is present for the user.

       PAM_BUF_ERROR	       A memory buffer error occurred.

       PAM_SYSTEM_ERR	       A system error occurred.

EXAMPLES
       Example 1 Using pam_ldap With Authentication

       The following is a configuration for the login service when using  pam_ldap.  The  service
       name  login can be substituted for any other authentication service such as dtlogin or su.
       Lines that begin with the # symbol are comments and are ignored.

	 # Authentication management for login service is stacked.
	 # If pam_unix_auth succeeds, pam_ldap is not invoked.
	 # The control flag "binding" provides a local overriding
	 # remote (LDAP) control. The "server_policy" option is used
	 # to tell pam_unix_auth.so.1 to ignore the LDAP users.

	 login	 auth requisite  pam_authtok_get.so.1
	 login	 auth required	 pam_dhkeys.so.1
	 login	 auth required	 pam_unix_cred.so.1
	 login	 auth binding	 pam_unix_auth.so.1 server_policy
	 login	 auth required	 pam_ldap.so.1

       Example 2 Using pam_ldap With Account Management

       The following is a configuration for account management when using  pam_ldap.  Lines  that
       begin with the # symbol are comments and are ignored.

	 # Account management for all services is stacked
	 # If pam_unix_account succeeds, pam_ldap is not invoked.
	 # The control flag "binding" provides a local overriding
	 # remote (LDAP) control. The "server_policy" option is used
	 # to tell pam_unix_account.so.1 to ignore the LDAP users.

	 other	 account  requisite	 pam_roles.so.1
	 other	 account  binding	 pam_unix_account.so.1 server_policy
	 other	 account  required	 pam_ldap.so.1

       Example	3  Using  pam_authtok_store  With  Password  Management  For  Both Local and LDAP
       Accounts

       The following is a configuration for password  management  when	using  pam_authtok_store.
       Lines that begin with the # symbol are comments and are ignored.

	 # Password management (authentication)
	 # The control flag "binding" provides a local overriding
	 # remote (LDAP) control. The server_policy option is used
	 # to tell pam_passwd_auth.so.1 to ignore the LDAP users.

	 passwd  auth binding  pam_passwd_auth.so.1 server_policy
	 passwd  auth required pam_ldap.so.1

	 # Password management (updates)
	 # This updates passwords stored both in the local /etc
	 # files and in the LDAP directory. The "server_policy"
	 # option is used to tell pam_authtok_store to
	 # follow the LDAP server's policy when updating
	 # passwords stored in the LDAP directory

	 other password required   pam_dhkeys.so.1
	 other password requisite  pam_authtok_get.so.1
	 other password requisite  pam_authtok_check.so.1
	 other password required   pam_authtok_store.so.1 server_policy

FILES
       /var/ldap/ldap_client_file    The  LDAP configuration files of the client. Do not manually
       /var/ldap/ldap_client_cred    modify these files, as these files might not be human  read-
				     able. Use ldapclient(1M) to update these files.

       /etc/pam.conf		     PAM configuration file.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+
       |MT-Level		     |MT-Safe with exceptions	   |
       +-----------------------------+-----------------------------+

SEE ALSO
       ldap(1),   idsconfig(1M),   ldap_cachemgr(1M),  ldapclient(1M),	libpam(3LIB),  pam(3PAM),
       pam_sm_acct_mgmt(3PAM),	       pam_sm_authenticate(3PAM),	  pam_sm_chauthtok(3PAM),
       pam_sm_close_session(3PAM),  pam_sm_open_session(3PAM),	pam_sm_setcred(3PAM), syslog(3C),
       pam.conf(4),   attributes(5),	pam_authtok_check(5),	 pam_authtok_get(5),	pam_auth-
       tok_store(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5)

NOTES
       The  interfaces	in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded
       application uses its own PAM handle.

       The previously supported use_first_pass and try_first_pass options are  obsolete  in  this
       version,  are  no  longer needed, can safely be removed from pam.conf(4), and are silently
       ignored. They might be removed in a future release. Password prompting  must  be  provided
       for  by stacking pam_authtok_get(5) before pam_ldap in the auth and password module stacks
       and pam_passwd_auth(5) in the passwd service auth stack (as described in the EXAMPLES sec-
       tion).  The  previously	supported password update function is replaced in this release by
       the previously recommended use of pam_authtok_store  with  the  server_policy  option  (as
       described in the EXAMPLES section).

       The  functions:	pam_sm_setcred(3PAM),  pam_sm_chauthtok(3PAM), pam_sm_open_session(3PAM),
       and pam_sm_close_session(3PAM) do nothing and return PAM_IGNORE in pam_ldap.

SunOS 5.11				   21 Dec 2005				      pam_ldap(5)


All times are GMT -4. The time now is 03:22 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
UNIX.COM Login
Username:
Password:  
Show Password