SunOS man pages


sun.com \| docs.sun.com		How To Buy \| My Sun \| Worldwide Sites

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

NAME
SYNOPSIS
DESCRIPTION
ERRORS
EXAMPLES
FILES
ATTRIBUTES
SEE ALSO
NOTES

NAME

pam_ldap - authentication, account, and password management PAM module for LDAP

SYNOPSIS

/usr/lib/security/pam_ldap.so.1

DESCRIPTION

The pam_ldap module implements pam_sm_authenticate, pam_sm_setcred, pam_sm_acct_mgmt, and pam_sm_chauthtok, the functions that provide functionality for the PAM authentication, account management and password management stacks. The pam_ldap module ties the authentication, account management and password change functionality to the functionality of the supporting LDAP server. For authentication, pam_ldap can authenticate the user directly to any LDAP directory server by using any supported authentication mechanism, such as DIGEST-MD5. However, the account management and password change components of pam_ldap will only work with the bundled Sun ONE Directory Server. The Sun ONE Directory Server user account management, that is, password and account lockout policy, must be properly configured on the server before it can be used by pam_ldap to provide the account management, password aging, and password syntax checking controls. Refer to the Sun ONE Directory Server Administrator's Guide that is cited in the NOTES section.

pam_ldap must be used in conjunction with the modules that support the UNIX authentication, password, and account management., which are pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_passwd_auth(5), pam_unix_account(5), and pam_unix_auth(5). pam_ldap is designed to be stacked directly below these modules. If other modules are designed to be stacked in this manner, the modules can be stacked below the pam_ldap module. The EXAMPLES section shows how the UNIX modules are stacked with pam_ldap. When stacked together, the UNIX modules are used to control local accounts, such as root. pam_ldap is used for control with the network accounts, that is, LDAP users. For the stacks to work, pam_unix_auth, pam_unix_account, pam_passwd_auth, and pam_authtok_store must to configured with the binding control flag and the server_policy option. This configuration allows local account override of a network account.

LDAP Authentication Module

The LDAP authentication module verifies the identity of a user. The pam_sm_authenticate() function uses the password entered by the user to attempt to authenticate to the LDAP server. If successful, the user is authenticated.

The authentication method used is either defined in the client profile , or the authentication method is configured by using the ldapclient(1M) command. To determine the authentication method to use, this module first attempts to use the authentication method that is defined, for service pam_ldap, for example, serviceAuthenticationMethod:pam_ldap:sasl/DIGEST-MD5. If no authentication method is defined, pam_ldap uses the default authentication method. If neither are set, the authentication fails. This module skips the configured authentication method if the authentication method is set to none.

The pam_sm_setcred(3PAM) function does nothing. This function always returns PAM_IGNORE.

The following options may be passed to the LDAP service module:

debug: syslog(3C) debugging information at LOG_DEBUG level.
nowarn: Turn off warning messages.

These options are case sensitive, and the options must be used exactly as presented here.

LDAP Account Management Module

The LDAP account management module validates the user's account. The pam_sm_acct_mgmt(3PAM) function authenticates to the LDAP server to verify that the user's password has not expired, or that the user's account has not been locked. The following options may be passed to the LDAP service module:

debug: syslog(3C) debugging information at LOG_DEBUG level.
nowarn: Turn off warning messages.

These options are case sensitive, and the options must be used exactly as presented here.

LDAP Password Management Module

The preferred way to configure password management for LDAP is by using the pam_authtok_store(5) module and by specify ing the server_policy option. Use the pam_authtok_store function instead of pam_ldap for password change. When password management is configured this way, both the local and LDAP accounts are handled. pam_authtok_store(5) updates the passwords in all the repositories configured by nsswitch.conf(4). pam_ldap updates only the password in the LDAP password database.

The LDAP password management module provides the pam_sm_chauthtok() function to change passwords in the LDAP database.

The following options may be passed to the LDAP service module:

debug: syslog(3C) debugging information at LOG_DEBUG level.
nowarn: Turn off warning messages.

These options are case sensitive , and the options must be used exactly as presented here.

ERRORS

The authentication service returns the following error codes:

PAM_SUCCESS: Authentication successful
PAM_MAXTRIES: Maximum number of authentication attempts exceeded
PAM_AUTH_ERR: Authentication failure
PAM_USER_UNKNOWN: No account present for user
PAM_BUF_ERR: Memory buffer error
PAM_SYSTEM_ERR: System error

The account management service returns the following error codes:

PAM_SUCCESS: User allowed access to account
PAM_NEW_AUTHTOK_REQD: New authentication token required
PAM_ACCT_EXPIRED: User account has expired
PAM_PERM_DENIED: User denied access to account at this time
PAM_USER_UNKNOWN: No account present for user
PAM_BUF_ERROR: Memory buffer error
PAM_SYSTEM_ERR: System error

The password management service returns the following values:

PAM_SUCCESS: Successfully updates authentication token
PAM_PERM_DENIED: No permission to update authentication token
PAM_AUTHTOK_ERR: Authentication token manipulation error
PAM_USER_UNKNOWN: No account present for user
PAM_BUF_ERR: Memory buffer error
PAM_SYSTEM_ERR: System error

EXAMPLES

Example 1. Using pam_ldap With Authentication

The following is a configuration for the login service when using pam_ldap. The service name login can be substituted for any other authentication service such as dtlogin or su. Lines that begin with the # symbol are comments, and these lines ignored.

# Authentication management for login service is stacked.
# If pam_unix_auth succeeds, pam_ldap is not invoked.
# The control flag "binding" provides a local overriding
# remote (LDAP) control.  The "server_policy" option is used
# to tell pam_unix_auth.so.1 to ignore the LDAP users.

login   auth requisite  pam_authtok_get.so.1
login   auth required   pam_dhkeys.so.1
login   auth binding    pam_unix_auth.so.1 server_policy 
login   auth required   pam_ldap.so.1

Example 2. Using pam_ldap With Account Management

The following is a configuration for account management when using pam_ldap. Lines that begin with the # symbol are ignored.

# Account management for all services is stacked
# If pam_unix_account succeeds, pam_ldap is not invoked.
# The control flag "binding" provides a local overriding
# remote (LDAP) control.  The "server_policy" option is used
# to tell pam_unix_account.so.1 to ignore the LDAP users.

other   account  requisite      pam_roles.so.1
other   account  required       pam_projects.so.1
other   account  binding        pam_unix_account.so.1 server_policy
other   account  required       pam_ldap.so.1

Example 3. Using pam_authtok_store With Password Management For Both Local and LDAP Accounts

The following is a configuration for password management when using pam_authtok_store instead of pam_ldap. This configuration works because pam_authtok_store updates password in all the repositories configured by nsswitch.conf(4). Lines that begin with the # symbol are comments , and the lines are ignored.

# Password management (authentication)
passwd  auth binding  pam_passwd_auth.so.1 server_policy
passwd  auth required pam_ldap.so.1

# Password management (updates)
# This is the preferred stack, since it updates
# passwords stored both in the local /etc files and
# in the LDAP directory.  The "server_policy"
# option is used to tell pam_authtok_store to
# follow the LDAP server's policy when updating
# passwords stored in the LDAP directory

other password required   pam_dhkeys.so.1
other password requisite  pam_authtok_get.so.1
other password requisite  pam_authtok_check.so.1
other password required   pam_authtok_store.so.1 server_policy

Example 4. Using pam_ldap With Password Management if There are no Local Accounts

Use the following configuration for password management when using pam_ldap. Lines that begin with the # symbol are comments, and athe comments are ignored.

# Password management (authentication)
# The control flag "binding" provides a local overriding
# remote (LDAP) control.  The server_policy option is used
# to tell pam_passwd_auth.so.1 to ignore the LDAP users.

passwd  auth binding  pam_passwd_auth.so.1 server_policy
passwd  auth required pam_ldap.so.1

# Password management (updates)
# This stack is limited to updating password stored in the 
# LDAP directory.  The preferred method is shown in Example 3.

other password required  pam_ldap.so.1

FILES

/var/ldap/ldap_client_file
/var/ldap/ldap_client_cred: The LDAP configuration files of the client. Do not manually modify these files, as these files may not be human readable. Use ldapclient(1M) to update these files.
/etc/pam.conf: PAM configuration file.

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
MT-Level	MT-Safe with exceptions
Stability Level	Evolving

NOTES

The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.

For information on how to configure the user account management, including password and account lockout policy for the bundled Sun ONE Directory Server, please browse the html file /usr/iplanet/ds5/manual/en/slapd/ag/password.htm.

SunOS 5.9

Go To Top

Last Changed 21 Jan 2003