pam_ldap(8) UNIX System V pam_ldap(8)
NAME
pam_ldap - Lightweight Directory Access Protocol PAM Service
Module
SYNOPSIS
/usr/lib32/security/pam_ldap.so
DESCRIPTION
The LDAP service module for PAM,
/usr/lib32/security/pam_ldap.so, provides functionality for
three PAM categories: authentication, account management,
and password management. It also provides null functions for
session management. The pam_ldap.so module is a shared
object that can be dynamically loaded to provide the
necessary functionality upon demand. Its path is specified
in the PAM configuration file.
Authentication Component
The LDAP authentication component provides functions to
verify the identity of a user. (pam_sm_authenticate()) and
to set user specific credentials (pam_sm_setcred()).
Account Management Component
The LDAP account management component provides a function to
perform account management, pam_sm_acct_mgmt(). The
function verifies that the authenticated user is allowed to
login to the local user account.
Password Management Component
The LDAP password management component provides a function
to change user passwords (pam_sm_chauthtok()).
In addition to the options accepted by all the LDAP service
module components (see below), the password management
component also accepts:
use_authtok
Session Management Component
The LDAP session management component provides functions to
initiate (pam_sm_open_session()) and terminate
(pam_sm_close_session()) sessions. Since session management
is not defined under LDAP, both of these functions simply
return success. Additionally, the former will close any
outstanding network connections.
LDAP Service Module Configuration
The LDAP PAM service module is configured in two parts. Its
behavior inside the PAM stack is configured by passing
parameters through the standard PAM configuration mechanisms
Page 1 (printed 5/15/05)
pam_ldap(8) UNIX System V pam_ldap(8)
(/etc/pam.conf or /etc/pam.d/, see PAM(8) ). Its behavior in
contacting and querying an LDAP server is configured in a
separate file (/etc/security/pam_ldap.conf). The following
PAM options may be passed to the all of the LDAP service
module components:
config=filename
Use filename as the pam_ldap configuration
file instead of /etc/security/pam_ldap.conf.
filename must specify the absolute path to
the configuration file.
debug This option makes pam_ldap print debugging
information. This is not recommended for
production systems.
ignore_unknown_user
If this option is set and the user's details
are not found in the LDAP directory, the
component returns ignore to the PAM
framework, rather than user_unknown (see
PAM(8) for details).
no_warn Instructs the component not to give warning
messages to the user via the calling
application.
use_first_pass If the authentication component is not the
first in the stack, and a previous module
obtained the user's password, that password
is used to authenticate the user. If this
fails, the authentication component returns
failure without prompting the user for a
password. This option has no effect if the
authentication module is the first in the
stack, or if no previous modules obtained the
user's password.
try_first_pass This option is similar to the use_first_pass
option, except that if the previously
obtained password fails, the user is prompted
for another password.
The pam_ldap configuration file has the same syntax as the
LDAP client configuration file, /etc/openldap/ldap.conf (see
ldap.conf(5) ). This, in conjunction with the
config=filename PAM option, lets you share LDAP settings
between pam_ldap and other LDAP clients.
pam_ldap silently ignores any unrecognized options in its
configuration file. The following options are recognized:
Page 2 (printed 5/15/05)
pam_ldap(8) UNIX System V pam_ldap(8)
base dn dn is the distinguished name used as the base
for LDAP searches.
binddn dn dn is the distinguished name used to bind
with the LDAP server.
bindpw secret Specifies secret as the credential to bind
with when not binding as root.
bind_timelimit secs
This option specifies secs as the maximum
number to seconds to spend waiting for the
LDAP server to accept(2) a TCP connection.
host list This option specifies the name of the LDAP
server(s) to use. list must be a space-
separated list of hostnames or addresses.
ldap_version version
Specifies the version of the LDAP protocol to
use. version must be either 2 or 3. Version 3
is the default.
nss_base_passwd dn[?scope[?filter]]
The options specifies the base distinguished
name for password entry searches. If the
distinguished name, dn is not fully qualified
(eg. "ou=People,"), the distinguighed name
from the base option is appended. dn may be
followed by a scope specifier and a filter,
each separated by question marks. scope can
take the same values as the scope option.
filter has the same semantics as the
pam_filter option.
pam_check_host_attr yes|no
If this option is "yes", pam_ldap will test
for the existence of the "host" attribute in
the directory entry for the authenticating
user. Access will be allowed only if the
"host" attribute is present and specifies
that the authenticating host should be
allowed. The "host" attribute should contain
"*" to indicate that users can authenticate
from any host, otherwise it should contain
the hostnames the user is allowed to
authenticate from (one name per "host"
attribute).
pam_filter filter
This option specifies the initial condition
of the search filter used to retrieve user
Page 3 (printed 5/15/05)
pam_ldap(8) UNIX System V pam_ldap(8)
account information from the LDAP server. For
example, if the query needed to retrieve
account information for the user "phillis"
was
"(&(objectClass=posixAccount)(uid=phillis))",
then filter must be set to
"objectClass=posixAccount".
pam_groupdn dn If this option is set, pam_ldap does not
allow access unless the user is a member of a
given group. dn is the distinguished name of
the group object in the directory and the
pam_member_attribute option specifies the
attribute that contains the names of the
group members.
pam_login_attribute attr
This option specifies the name of the
attribute matched when searching for user
account information. The default value for
attr is "uid".
pam_lookup_policy yes|no
If this option is "yes", pam_ldap will search
the directory for a passwordPolicy object
that specifies the maximum number of password
entry failures and minimum password length.
pam_max_uid n If the user ID of the authenticating user is
greater than n, pam_ldap will deny access.
pam_member_attribute attr
If the pam_groupdn option is set, pam_ldap
denies access unless the distinguished name
of the authenticating user is present in the
attribute attr belonging to the group object
specified by the pam_groupdn option. The
default value for attr is "uniquemember".
pam_min_uid n If the user ID of the authenticating user is
less than n, pam_ldap will deny access.
pam_password clear|crypt|nds|ad|exop
This options tells pam_ldap how passwords how
to handle passwords when sending them to the
directory server. If is it set to "crypt",
the password is hashed locally with the
crypt(3) function. "nds" forces removal of
the old password before setting the new one.
"ad" enables resetting passwords in an Active
Directory server. "exop" uses LDAPv3
MODIFY_PASSWD extended operation to update
Page 4 (printed 5/15/05)
pam_ldap(8) UNIX System V pam_ldap(8)
the user's password. "clear" sends the
password in the clear.
pam_password_prohibit_message message
This option prohibits password changes by
LDAP users and displays an explanatory
message.
pam_template_login user
Reset the PAM_USER item to user after
authenticating with the provided user name.
pam_template_login_attribute attr
Take the value of pam_template_login from the
PAM item attr.
port n This option specifies the port to contact the
LDAP server on. The default is 389, or 636 if
SSL is in use. If the uri option is set, this
option is ignored.
restart yes|no This option makes pam_ldap automatically
restart an interrupted communication with the
LDAP server. It is on by default.
rootbinddn dn If this option is specified, and effective
user ID of the calling process is 0, pam_ldap
will attempt to bind to the LDAP directory
with the distinguished name dn instead of the
one given by the binddn option. The password
to bind with is read from
/etc/security/pam_ldap.secret. This file
should be owned by root and have 0600
permissions.
ssl start_tls|on
Setting this option to "start_tls" makes
pam_ldap use the Start TLS LDAPv3 extended
operation to establish a TLS session with the
LDAP server. Setting this option to "ssl"
makes pam_ldap unconditionally connect to the
LDAP server using SSL.
scope base|one|sub
This option specifies the scope that is used
when searching the LDAP directory.
timelimit secs This option specifies secs as the maximum
number of seconds to spend on a search.
tls_cacertdir path
Specifies a directory where pam_ldap can find
Page 5 (printed 5/15/05)
pam_ldap(8) UNIX System V pam_ldap(8)
CA certificates to use for server
verification in separate files.
tls_cacertfile filename
Specifies a single file where pam_ldap can
find CA certificates to use for server
verification.
tls_cert filename
Specifies the file that contains the client
certificate.
tls_ciphers cipher
This option specifies which encryption
ciphers can be used to connect to the LDAP
server. cipher is a colon-separated list of
encryption cipher names. See ciphers(1) for
full details of the format of the cipher
string.
tls_checkpeer yes|no
If this option is "yes", pam_ldap will
require that the LDAP server produce a valid
TLS certificate. If it is false, server
certificates will be neither requested nor
checked.
tls_key filename
Specifies the file that contains the private
key that matches the certificate in the file
named by the tls_cert option.
tls_randfile filename
Specifies the file to obtain random bits from
when /dev/[u]random is not available.
uri server This option specifies the LDAP server as an
RFC 2255 LDAP URL. If this option is
specified, server is used as the LDAP server
instead of the host and port specified by the
host and port options.
FILES
/etc/security/pam_ldap.conf
/etc/security/pam_ldap.secret
SEE ALSO
crypt(3), cipher(1), ldap.conf(5), pam(8), syslog(3).
NOTES
There is no way to specify a root password file different
Page 6 (printed 5/15/05)
pam_ldap(8) UNIX System V pam_ldap(8)
from /etc/security/pam_ldap.secret.
Page 7 (printed 5/15/05)