Standards, Environments, and Macros pam_ldap(5)
NAME
pam_ldap - authentication and account management PAM module
for LDAPSYNOPSIS
/usr/lib/security/pam_ldap.so.1
DESCRIPTION
The pam_ldap module implements pam_sm_authenticate(3PAM) and
pam_sm_acct_mgmt(3PAM), the functions that provide func-
tionality for the PAM authentication and account managementstacks. The pam_ldap module ties the authentication and
account management functionality to the functionality of thesupporting LDAP server. For authentication, pam_ldap can
authenticate the user directly to any LDAP directory server by using any supported authentication mechanism, such asDIGEST-MD5. However, the account management component of
pam_ldap will work only with the Sun Java System Directory
Server. The server's user account management must be prop-
erly configured before it can be used by pam_ldap. Refer to
the Sun Java System Directory Server Administration Guide for information on how to configure user account management, including password and account lockout policy.pam_ldap must be used in conjunction with the modules that
support the UNIX authentication, password, and accountmanagement, which are pam_authtok_get(5),
pam_passwd_auth(5), pam_unix_account(5), and
pam_unix_auth(5). pam_ldap is designed to be stacked
directly below these modules. If other modules are designed to be stacked in this manner, the modules can be stackedbelow the pam_ldap module. The Examples section shows how
the UNIX modules are stacked with pam_ldap. When stacked
together, the UNIX modules are used to control localaccounts, such as root. pam_ldap is used to control network
accounts, that is, LDAP users. For the stacks to work,pam_unix_auth, pam_unix_account, and pam_passwd_auth must be
configured with the binding control flag and theserver_policy option. This configuration allows local
account override of a network account. LDAP Authentication Module The LDAP authentication module verifies the identity of auser. The pam_sm_authenticate(3PAM) function uses the pass-
word entered by the user to attempt to authenticate to the LDAP server. If successful, the user is authenticated. See NOTES for information on password prompting.SunOS 5.11 Last change: 21 Dec 2005 1
Standards, Environments, and Macros pam_ldap(5)
The authentication method used is either defined in the client profile , or the authentication method is configured by using the ldapclient(1M) command. To determine the authentication method to use, this module first attempts to use the authentication method that is defined, for servicepam_ldap, for example,
serviceAuthenticationMethod:pam_ldap:sasl/DIGEST-MD5. If no
authentication method is defined, pam_ldap uses the default
authentication method. If neither are set, the authentica-
tion fails. This module skips the configured authentication method if the authentication method is set to none. The following options can be passed to the LDAP service module:debug syslog(3C) debugging information at LOG_DEBUG
level. nowarn Turn off warning messages. These options are case sensitive and must be used exactly as presented here. LDAP Account Management Module The LDAP account management module validates the user'saccount. The pam_sm_acct_mgmt(3PAM) function authenticates
to the LDAP server to verify that the user's password has not expired, or that the user's account has not been locked. In the event that there is no user authentication token(PAM_AUTHTOK) available, the pam_sm_acct_mgmt(3PAM) function
attempts to retrieve the user's account status without authenticating to the LDAP server as the user logging in. This procedure will succeed only if the LDAP server is SunJava System Directory server 5.2 patch 4 or newer. The fol-
lowing options can be passed to the LDAP service module:debug syslog(3C) debugging information at LOG_DEBUG
level. nowarn Turn off warning messages. These options are case sensitive, and the options must be used exactly as presented here.SunOS 5.11 Last change: 21 Dec 2005 2
Standards, Environments, and Macros pam_ldap(5)
LDAP Password Management ModuleLDAP password management is no longer supported by pam_ldap.
Use pam_authtok_store(5) instead of pam_ldap for password
change. pam_authtok_store(5) handles both the local and LDAP
accounts and updates the passwords in all the repositories configured by nsswitch.conf(4).ERRORS
The authentication service returns the following error codes:PAM_SUCCESS The uthentication was successful.
PAM_MAXTRIES The maximum number of authentication
attempts was exceeded.PAM_AUTH_ERR The authentication failed.
PAM_USER_UNKNOWN No account is present for the user.
PAM_BUF_ERR A memory buffer error occurred.
PAM_SYSTEM_ERR A system error occurred.
PAM_IGNORE The user's account was inactivated.
The account management service returns the following error codes:PAM_SUCCESS The user was allowed access to the
account.PAM_NEW_AUTHTOK_REQD A new authentication token is
required.PAM_ACCT_EXPIRED The user account has expired.
PAM_PERM_DENIED The user was denied access to the
account at this time.SunOS 5.11 Last change: 21 Dec 2005 3
Standards, Environments, and Macros pam_ldap(5)
PAM_USER_UNKNOWN No account is present for the user.
PAM_BUF_ERROR A memory buffer error occurred.
PAM_SYSTEM_ERR A system error occurred.
EXAMPLES
Example 1 Using pam_ldap With Authentication
The following is a configuration for the login service whenusing pam_ldap. The service name login can be substituted
for any other authentication service such as dtlogin or su.Lines that begin with the # symbol are comments and are
ignored.# Authentication management for login service is stacked.
# If pam_unix_auth succeeds, pam_ldap is not invoked.
# The control flag "binding" provides a local overriding
# remote (LDAP) control. The "server_policy" option is used
# to tell pam_unix_auth.so.1 to ignore the LDAP users.
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
Example 2 Using pam_ldap With Account Management
The following is a configuration for account management whenusing pam_ldap. Lines that begin with the # symbol are com-
ments and are ignored.# Account management for all services is stacked
# If pam_unix_account succeeds, pam_ldap is not invoked.
# The control flag "binding" provides a local overriding
# remote (LDAP) control. The "server_policy" option is used
# to tell pam_unix_account.so.1 to ignore the LDAP users.
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
SunOS 5.11 Last change: 21 Dec 2005 4
Standards, Environments, and Macros pam_ldap(5)
Example 3 Using pam_authtok_store With Password Management
For Both Local and LDAP Accounts The following is a configuration for password managementwhen using pam_authtok_store. Lines that begin with the #
symbol are comments and are ignored.# Password management (authentication)
# The control flag "binding" provides a local overriding
# remote (LDAP) control. The server_policy option is used
# to tell pam_passwd_auth.so.1 to ignore the LDAP users.
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# Password management (updates)
# This updates passwords stored both in the local /etc
# files and in the LDAP directory. The "server_policy"
# option is used to tell pam_authtok_store to
# follow the LDAP server's policy when updating
# passwords stored in the LDAP directory
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
FILES/var/ldap/ldap_client_file The LDAP configuration files
/var/ldap/ldap_client_cred of the client. Do not manually
modify these files, as thesefiles might not be human read-
able. Use ldapclient(1M) to update these files. /etc/pam.conf PAM configuration file.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:SunOS 5.11 Last change: 21 Dec 2005 5
Standards, Environments, and Macros pam_ldap(5)
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Interface Stability | Committed ||_____________________________|_____________________________|
| MT-Level | MT-Safe with exceptions |
|_____________________________|_____________________________|
SEE ALSO
ldap(1), idsconfig(1M), ldap_cachemgr(1M), ldapclient(1M),
libpam(3LIB), pam(3PAM), pam_sm_acct_mgmt(3PAM),
pam_sm_authenticate(3PAM), pam_sm_chauthtok(3PAM),
pam_sm_close_session(3PAM), pam_sm_open_session(3PAM),
pam_sm_setcred(3PAM), syslog(3C), pam.conf(4), attri-
butes(5), pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_passwd_auth(5),
pam_unix_account(5), pam_unix_auth(5)
NOTESThe interfaces in libpam(3LIB) are MT-Safe only if each
thread within the multi-threaded application uses its own
PAM handle.The previously supported use_first_pass and try_first_pass
options are obsolete in this version, are no longer needed, can safely be removed from pam.conf(4), and are silently ignored. They might be removed in a future release. Password prompting must be provided for by stackingpam_authtok_get(5) before pam_ldap in the auth and password
module stacks and pam_passwd_auth(5) in the passwd service
auth stack (as described in the EXAMPLES section). The pre-
viously supported password update function is replaced in this release by the previously recommended use ofpam_authtok_store with the server_policy option (as
described in the EXAMPLES section).
The functions: pam_sm_setcred(3PAM), pam_sm_chauthtok(3PAM),
pam_sm_open_session(3PAM), and pam_sm_close_session(3PAM) do
nothing and return PAM_IGNORE in pam_ldap.
SunOS 5.11 Last change: 21 Dec 2005 6