Sun Microsystems, Inc.
spacerspacer
spacer   www.sun.com docs.sun.com | | |  
spacer
black dot
   
A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z
    
 
Standards, Environments, and Macrospam_ldap(5)

NAME

 pam_ldap - authentication and password management PAM module for LDAP

SYNOPSIS

  
/usr/lib/security/pam_ldap.so.1

DESCRIPTION

 

The LDAP service module for PAM, /usr/lib/security/pam_ldap.so.1, provides functionality for two PAM modules: authentication and password management. The pam_ldap.so.1 module is a shared object that can be dynamically loaded to provide the necessary functionality upon demand. Its path is specified in the PAM configuration file.

The pam_ldap.so.1 module must be used in conjunction with pam_unix.so.1 module. See pam_unix(5). The latter supports UNIX authentication. The pam_ldap.so.1 module supports direct authentication to the LDAP directory server by using any supported authentication mechanism, such as CRAM-MD5. The pam_ldap.so.1 module is designed to be stacked directly below the pam_unix.so.1 module when it is used for authentication and password management. If any other module was designed to be stacked in this manner, it can be stacked under the pam_ldap.so.1 module. If this design is not followed, UNIX authentication and password management will not work. The EXAMPLES section below shows how the modules are to be stacked when using this module.

The pam_ldap.so.1 module supports both the authentication and password management components.

LDAP Authentication Component

 

The LDAP authentication component provides functions to verify the identity of a user and to set user specific credentials. See pam_sm_authenticate(3PAM) and pam_sm_setcred(3PAM)). The pam_sm_authenticate() function uses the password entered by the user to attempt to authenticate to the LDAP server. If successful, the user is authenticated.

The authentication method used is defined in the client profile or is configured by using the ldapclient(1M) command. To determine the authentication method to use, this module first attempts to use the authentication method defined for service pam_ldap. If no authentication method is defined, it will then use the default authentication method. If neither are set, the authentication will fail. This module will skip the configured authentication method if it is set to none.

At present, the pam_sm_setcred() function succeeds all the time without setting any credentials.

The following options may be passed to the LDAP service module:

debug
syslog(3C) debugging information at LOG_DEBUG level.
nowarn
Turn off warning messages.
use_first_pass
Authenticate to the directory by using the password that the user initially entered when the user authenticated to the first authentication module in the stack. If the authentication fails, or if no password has been entered, it quits. The user is not prompted for another password.
try_first_pass
Authenticate to the directory by using the password the user initially entered when the user authenticated to the first authentication module in the stack. If the authentication fails, or if no password has been entered, the user is prompted for another password.

These options are case sensitive and must be used exactly as presented here.

LDAP Password Management Component

 

The LDAP password management component provides the pam_sm_chauthtok(3PAM) function to change passwords in the LDAP password database. The following options may be passed in to the LDAP service module:

debug
syslog(3C) debugging information at LOG_DEBUG level.
nowarn
Turn off warning messages.
use_first_pass
Compare the password in the password database with the user's old password, which was entered to the first password module in the stack. If the passwords do not match, or if no password has been entered, pam_ldap quits. It does not prompt the user for the old password. It also attempts to use the new password, which was entered to the first password module in the stack, as the new password for this module. If the new password fails, pam_ldap quits and does not prompt the user for a new password.
try_first_pass
Compare the password in the password database with the user's old password, which was entered to the first password module in the stack. If the passwords do not match, or if no password has been entered, it prompts the user for the old password. It also attempts to use the new password, which was entered to the first password module in the stack, as the new password for this module. If the new password fails, it prompts the user for a new password.

EXAMPLES

 Example 1. Using pam_ldap.so.1 With Authentication in pam.conf
 

The following is a configuration for the login service when using pam_ldap.so.1. The service name login can be substituted for any other authentication service such as dtlogin or su. Lines that begin with the # symbol are comments and are ignored.

  
# Authentication management for login service is stacked.
# If pam_unix succeeds, pam_ldap is not invoked.
login   auth sufficient /usr/lib/security/pam_unix.so.1
login   auth required   /usr/lib/security/pam_ldap.so.1 try_first_pass

Note that the pam_unix.so.1 is qualified with the sufficient control flag.
Example 2. Using pam_ldap.so.1 With password in pam.conf
 

The following is a configuration for password management when using pam_ldap.so.1. Lines that begin with the # symbol are ignored.

  
# Password management
#
other   password sufficient     /usr/lib/security/pam_unix.so.1
other   password required       /usr/lib/security/pam_ldap.so.1

FILES

 
/var/ldap/ldap_client_file
/var/ldap/ldap_client_cred
The LDAP configuration files of the client. Do not manually modify these files. They may not be human readable. Use ldapclient(1M) to update these files.
/etc/pam.conf
PAM configuration file.

ATTRIBUTES

 

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPEATTRIBUTE VALUE
MT-LevelMT-Safe with exceptions
Stability LevelEvolving

SEE ALSO

 

ldap(1), idsconfig(1M), ldap_cachemgr(1M), ldapclient(1M), libpam(3LIB), pam(3PAM), pam_sm_authenticate(3PAM), pam_sm_chauthtok(3PAM), pam_sm_setcred(3PAM), syslog(3C), pam.conf(4), attributes(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix(5), pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)

NOTES

 

The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.

The pam_unix(5) module might not be supported in a future release. Similar functionality is provided by pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5), and pam_unix_session(5).
SunOS 5.9Go To TopLast Changed 11 Dec 2001
 
      
      
Copyright 2002 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.