10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
I've got a problem with a proxy configuration. We have an LDAP group that lists all users who are authorised to use the proxy to FTP (usually Filezilla) out to the world, and by implication those not in the group should be denied. My users are delighted that this has been enabled and those that... (9 Replies)
Discussion started by: rbatte1
9 Replies
2. SuSE
Hi,
I use a software which can create account on many system or application.
One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3.
This application which is an IBM application use ssh to launch command to create account in... (3 Replies)
Discussion started by: scabarrus
3 Replies
3. Shell Programming and Scripting
This is a weird problem. Following is my code.
/opt/quest/bin/vastool configure pam sshd
/opt/quest/bin/vastool configure pam ssh
cat /etc/pam.conf | \
awk '$1=="ssh"||$1=="sshd"||$1=="emagent"{sub("prohibit","aix",$NF);}1' OFS='\t' > /etc/pam.conf
cat /etc/ssh/sshd_config | \
sed -e... (2 Replies)
Discussion started by: pjeedu2247
2 Replies
4. Ubuntu
I have installed a real time kernel on ubuntu, Now, I don't know how to run in real time mode. I tried to execute commands and like emerge, PAM and alike but none were found. Then I installed set_rlimits package, it is installed.
I need a real time server, but in the tutorial it tries to run PAM... (2 Replies)
Discussion started by: dr_mabuse
2 Replies
5. UNIX for Advanced & Expert Users
I have applied pam authentication for local users as highlighted in below file.
# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so... (0 Replies)
Discussion started by: pinga123
0 Replies
6. Red Hat
Hi,
I've configured two linux boxes to authenticate against Windows Active Directory using Kerberos while retrieving authorization data (uids, gids ,,,)from NIS.
The problem I ran into with my PAM configuration is that all authentication attempts succeed in order.i.e. if someone tried his... (0 Replies)
Discussion started by: geek.ksa
0 Replies
7. Solaris
Hi Experts,
Appended is the pam.conf file in my Sol 5.10 client which uses AD for authentication(Followed scott Lowe's blog on AD-Solaris integration):
bash-3.00# cat /etc/pam.conf
##ident "@(#)pam.conf 1.31 07/12/07 SMI"
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.... (9 Replies)
Discussion started by: Hari_Ganesh
9 Replies
8. UNIX for Dummies Questions & Answers
Hi.
i am on solaris. I have changed pam configuration. Do i need to let pam re-read its configuration again? If so, how can i do it?
ps -ef | grep -i pam, returns no hits.
Rgds (0 Replies)
Discussion started by: yls177
0 Replies
9. AIX
Does any one know how to get aix 5.3 pam working ..
Is there any pathc to make it work (0 Replies)
Discussion started by: ayeshaseerin
0 Replies
10. AIX
After enabling PAm , passwd command does not work properly
error in passwd
# passwd pamuser
Changing password for "pamuser"
pamuser's New password:
Enter the new password again:
3004-709 Error changing password for "pamuser".
... (0 Replies)
Discussion started by: ayeshaseerin
0 Replies
pam_ldap(5) pam_ldap(5)
NAME
pam_ldap - authentication and account management PAM module for LDAP
SYNOPSIS
/usr/lib/security/pam_ldap.so.1
The pam_ldap module implements pam_sm_authenticate() and pam_sm_acct_mgmt(), the functions that provide functionality for the PAM authenti-
cation and account management stacks. The pam_ldap module ties the authentication and account management functionality to the functionality
of the supporting LDAP server. For authentication, pam_ldap can authenticate the user directly to any LDAP directory server by using any
supported authentication mechanism, such as DIGEST-MD5. However, the account management component of pam_ldap will work only with the Sun
Java System Directory Server. The server's user account management must be properly configured before it can be used by pam_ldap. Refer to
the Sun Java System Directory Server Administration Guide for information on how to configure user account management, including password
and account lockout policy.
pam_ldap must be used in conjunction with the modules that support the UNIX authentication, password, and account management, which are
pam_authtok_get(5), pam_passwd_auth(5), pam_unix_account(5), and pam_unix_auth(5). pam_ldap is designed to be stacked directly below these
modules. If other modules are designed to be stacked in this manner, the modules can be stacked below the pam_ldap module. The section
shows how the UNIX modules are stacked with pam_ldap. When stacked together, the UNIX modules are used to control local accounts, such as
root. pam_ldap is used to control network accounts, that is, LDAP users. For the stacks to work, pam_unix_auth, pam_unix_account, and
pam_passwd_auth must be configured with the binding control flag and the server_policy option. This configuration allows local account
override of a network account.
LDAP Authentication Module
The LDAP authentication module verifies the identity of a user. The pam_sm_authenticate(3PAM) function uses the password entered by the
user to attempt to authenticate to the LDAP server. If successful, the user is authenticated. See for information on password prompting.
The authentication method used is either defined in the client profile , or the authentication method is configured by using the ldap-
client(1M) command. To determine the authentication method to use, this module first attempts to use the authentication method that is
defined, for service pam_ldap, for example, serviceAuthenticationMethod:pam_ldap:sasl/DIGEST-MD5. If no authentication method is defined,
pam_ldap uses the default authentication method. If neither are set, the authentication fails. This module skips the configured authentica-
tion method if the authentication method is set to none.
The following options may be passed to the LDAP service module:
debug
syslog(3C) debugging information at LOG_DEBUG level.
nowarn
Turn off warning messages.
These options are case sensitive, and the options must be used exactly as presented here.
LDAP Account Management Module
The LDAP account management module validates the user's account. The pam_sm_acct_mgmt(3PAM) function authenticates to the LDAP server to
verify that the user's password has not expired, or that the user's account has not been locked. The following options may be passed to the
LDAP service module:
debug
syslog(3C) debugging information at LOG_DEBUG level.
nowarn
Turn off warning messages.
These options are case sensitive, and the options must be used exactly as presented here.
LDAP Password Management Module
LDAP password management is no longer supported by pam_ldap. Use pam_authtok_store(5) instead of pam_ldap for password change. pam_auth-
tok_store(5) handles both the local and LDAP accounts and updates the passwords in all the repositories configured by nsswitch.conf(4).
The authentication service returns the following error codes:
PAM_SUCCESS Authentication successful
PAM_MAXTRIES Maximum number of authentication attempts exceeded
PAM_AUTH_ERR Authentication failure
PAM_USER_UNKNOWN No account present for user
PAM_BUF_ERR Memory buffer error
PAM_SYSTEM_ERR System error
PAM_IGNORE User's account inactivated
The account management service returns the following error codes:
PAM_SUCCESS User allowed access to account
PAM_NEW_AUTHTOK_REQD New authentication token required
PAM_ACCT_EXPIRED User account has expired
PAM_PERM_DENIED User denied access to account at this time
PAM_USER_UNKNOWN No account present for user
PAM_BUF_ERROR Memory buffer error
PAM_SYSTEM_ERR System error
Example 1: Using pam_ldap With Authentication
The following is a configuration for the login service when using pam_ldap. The service name login can be substituted for any other authen-
tication service such as dtlogin or su. Lines that begin with the # symbol are comments and are ignored.
# Authentication management for login service is stacked.
# If pam_unix_auth succeeds, pam_ldap is not invoked.
# The control flag "binding" provides a local overriding
# remote (LDAP) control. The "server_policy" option is used
# to tell pam_unix_auth.so.1 to ignore the LDAP users.
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
Example 2: Using pam_ldap With Account Management
The following is a configuration for account management when using pam_ldap. Lines that begin with the # symbol are comments and are
ignored.
# Account management for all services is stacked
# If pam_unix_account succeeds, pam_ldap is not invoked.
# The control flag "binding" provides a local overriding
# remote (LDAP) control. The "server_policy" option is used
# to tell pam_unix_account.so.1 to ignore the LDAP users.
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
Example 3: Using pam_authtok_store With Password Management For Both Local and LDAP Accounts
The following is a configuration for password management when using pam_authtok_store. Lines that begin with the # symbol are comments and
are ignored.
# Password management (authentication)
# The control flag "binding" provides a local overriding
# remote (LDAP) control. The server_policy option is used
# to tell pam_passwd_auth.so.1 to ignore the LDAP users.
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# Password management (updates)
# This updates passwords stored both in the local /etc
# files and in the LDAP directory. The "server_policy"
# option is used to tell pam_authtok_store to
# follow the LDAP server's policy when updating
# passwords stored in the LDAP directory
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
/var/ldap/ldap_client_file The LDAP configuration files of the client. Do not manually modify these files, as these files may not be
/var/ldap/ldap_client_cred human readable. Use ldapclient(1M) to update these files.
/etc/pam.conf PAM configuration file.
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Interface Stability |Evolving |
+-----------------------------+-----------------------------+
|MT-Level |MT-Safe with exceptions |
+-----------------------------+-----------------------------+
ldap(1), idsconfig(1M), ldap_cachemgr(1M), ldapclient(1M), libpam(3LIB), pam(3PAM), pam_sm_authenticate(3PAM), pam_sm_chauthtok(3PAM),
pam_sm_close_session(3PAM), pam_sm_open_session(3PAM), pam_sm_setcred(3PAM), syslog(3C), pam.conf(4), attributes(5), pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5)
The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.
The previously supported use_first_pass and try_first_pass options are obsolete in this version, are no longer needed, can safely be
removed from pam.conf(4), and are silently ignored. They might be removed in a future release. Password prompting must be provided for by
stacking pam_authtok_get(5) before pam_ldap in the auth and password module stacks and pam_passwd_auth(5) in the passwd service auth stack
(as described in the section). The previously supported password update function is replaced in this release by the previously recommended
use of pam_authtok_store with the server_policy option (as described in the section).
The functions: pam_sm_setcred(3PAM), pam_sm_chauthtok(3PAM), pam_sm_open_session(3PAM), and pam_sm_close_session(3PAM) do nothing and
return PAM_IGNORE in pam_ldap.
10 May 2005 pam_ldap(5)