SunOS man pages : pam_ldap (5)
Standards, Environments, and Macros pam_ldap(5)
NAME
pam_ldap - authentication and password management PAM
modules for LDAP
SYNOPSIS
/usr/lib/security/pam_ldap.so.1
DESCRIPTION
The LDAP service module for PAM,
/usr/lib/security/pam_ldap.so.1, provides functionality for
two PAM modules: authentication and password management. The
pam_ldap.so.1 module is a shared object that can be dynami-
cally loaded to provide the necessary functionality upon
demand. Its path is specified in the PAM configuration file.
The pam_ldap.so.1 module must be used in conjunction with
pam_unix.so.1 module. See pam_unix(5). The latter supports
UNIX authentication. The pam_ldap.so.1 module supports
direct authentication to the LDAP directory server by using
any supported authentication mechanism, such as CRAM-MD5.
The pam_ldap.so.1 module is designed to be stacked directly
below the pam_unix.so.1 module when it is used for authenti-
cation and password management. If any other module was
designed to be stacked in this manner, it can be stacked
under the pam_ldap.so.1 module. If this design is not fol-
lowed, UNIX authentication and password management will not
work. The EXAMPLES section below shows how the modules are
to be stacked when using this module.
The pam_ldap.so.1 module supports both the authentication
and password management components.
LDAP Authentication Component
The LDAP authentication component provides functions to ver-
ify the identity of a user and to set user specific creden-
tials. See pam_sm_authenticate(3PAM) and
pam_sm_setcred(3PAM)). The pam_sm_authenticate() function
uses the password entered by the user to attempt to authen-
ticate to the LDAP server. If successful, the user is
authenticated.
The authentication method used is defined in the client pro-
file or is configured by using the ldapclient(1M) command.
To determine the authentication method to use, this module
first attempts to use the authentication method defined for
service pam_ldap. If no authentication method is defined, it
will then use the default authentication method. If neither
are set, the authentication will fail. This module will skip
the configured authentication method if it is set to none.
At present, the pam_sm_setcred() function succeeds all the
time without setting any credentials.
SunOS 5.8 Last change: 20 Jul 2001 1
Standards, Environments, and Macros pam_ldap(5)
The following options may be passed to the LDAP service
module:
debug syslog(3C) debugging information at LOG_DEBUG level.
nowarn
Turn off warning messages.
use_first_pass
Authenticate to the directory by using the password
that the user initially entered when the user authen-
ticated to the first authentication module in the
stack. If the authentication fails, or if no password
has been entered, it quits. The user is not prompted
for another password.
try_first_pass
Authenticate to the directory by using the password
the user initially entered when the user authenticated
to the first authentication module in the stack. If
the authentication fails, or if no password has been
entered, the user is prompted for another password.
These options are case sensitive and must be used exactly as
presented here.
LDAP Password Management Component
The LDAP password management component provides the
pam_sm_chauthtok(3PAM) function to change passwords in the
LDAP password database. The following options may be passed
in to the LDAP service module:
debug syslog(3C) debugging information at LOG_DEBUG level.
nowarn
Turn off warning messages.
use_first_pass
Authenticate to the directory by using the password
that the user initially entered when the user authen-
ticated to the first authentication module in the
stack. If the authentication fails, or if no password
has been entered, it quits. The user is not prompted
for another password.
try_first_pass
Authenticate to the directory by using the password
the user initially entered when the user authenticated
to the first authentication module in the stack. If
the authentication fails, or if no password has been
entered, the user is prompted for another password.
SunOS 5.8 Last change: 20 Jul 2001 2
Standards, Environments, and Macros pam_ldap(5)
EXAMPLES
Example 1: Use pam_ldap.so.1 With Authentication in pam.conf
The following is a configuration for the login service when
using pam_ldap.so.1. The service name login can be substi-
tuted for any other authentication service such as dtlogin
or su. Lines that begin with the # symbol are comments and
are ignored.
# Authentication management for login service is stacked.
# If pam_unix succeeds, pam_ldap is not invoked.
login auth sufficient /usr/lib/security/pam_unix.so.1
login auth required /usr/lib/security/pam_ldap.so.1 try_first_pass
Note that the pam_unix.so.1 is qualified with the sufficient
control flag.
Example 2: Use pam_ldap.so.1 With password in pam.conf
The following is a configuration for the password management
when using pam_ldap.so.1. Lines that begin with the # symbol
are ignored.
# Password management
#
other password sufficient /usr/lib/security/pam_unix.so.1
other password required /usr/lib/security/pam_ldap.so.1
FILES
/var/ldap/ldap_client_file
/var/ldap/ldap_client_cred
Contain the LDAP configuration of the client. Do not
manually modify these files. They may not be human
readable. Use ldapclient(1M) to update these files.
/etc/pam.conf
PAM configuration file.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| MT-Level | MT-Safe with exceptions |
|_____________________________|_____________________________|
| Stability Level | Evolving |
|_____________________________|_____________________________|
SunOS 5.8 Last change: 20 Jul 2001 3
Standards, Environments, and Macros pam_ldap(5)
SEE ALSO
ldap(1), idsconfig(1M), ldapclient(1M), ldap_cachemgr(1M),
libpam(3LIB), pam(3PAM), pam_sm_authenticate(3PAM),
pam_sm_chauthtok(3PAM), pam_sm_setcred(3PAM), syslog(3C),
pam.conf(4), attributes(5)
NOTES
The interfaces in libpam are MT-Safe only if each thread
within the multithreaded application uses its own PAM han-
dle.
SunOS 5.8 Last change: 20 Jul 2001 4
|
 |
|
|
