1pam_ldap(5) Standards, Environments, and Macros pam_ldap(5)
2
6 pam_ldap - authentication and account management PAM module for LDAP
7
9 /usr/lib/security/pam_ldap.so.1
10
13 The pam_ldap module implements pam_sm_authenticate(3PAM) and
14 pam_sm_acct_mgmt(3PAM), the functions that provide functionality for
15 the PAM authentication and account management stacks. The pam_ldap mod‐
16 ule ties the authentication and account management functionality to the
17 functionality of the supporting LDAP server. For authentication,
18 pam_ldap can authenticate the user directly to any LDAP directory
19 server by using any supported authentication mechanism, such as DIGEST-
20 MD5. However, the account management component of pam_ldap will work
21 only with the Sun Java System Directory Server. The server's user
22 account management must be properly configured before it can be used by
23 pam_ldap. Refer to the Sun Java System Directory Server Administration
24 Guide for information on how to configure user account management,
25 including password and account lockout policy.
26 pam_ldap must be used in conjunction with the modules that support the
29 UNIX authentication, password, and account management, which are
30 pam_authtok_get(5), pam_passwd_auth(5), pam_unix_account(5), and
31 pam_unix_auth(5). pam_ldap is designed to be stacked directly below
32 these modules. If other modules are designed to be stacked in this man‐
33 ner, the modules can be stacked below the pam_ldap module. The Examples
34 section shows how the UNIX modules are stacked with pam_ldap. When
35 stacked together, the UNIX modules are used to control local accounts,
36 such as root. pam_ldap is used to control network accounts, that is,
37 LDAP users. For the stacks to work, pam_unix_auth, pam_unix_account,
38 and pam_passwd_auth must be configured with the binding control flag
39 and the server_policy option. This configuration allows local account
40 override of a network account.
41 LDAP Authentication Module
43 The LDAP authentication module verifies the identity of a user. The
44 pam_sm_authenticate(3PAM) function uses the password entered by the
45 user to attempt to authenticate to the LDAP server. If successful, the
46 user is authenticated. See NOTES for information on password prompting.
47 The authentication method used is either defined in the client profile
50 , or the authentication method is configured by using the ldap‐
51 client(1M) command. To determine the authentication method to use, this
52 module first attempts to use the authentication method that is defined,
53 for service pam_ldap, for example, serviceAuthentication‐
54 Method:pam_ldap:sasl/DIGEST-MD5. If no authentication method is
55 defined, pam_ldap uses the default authentication method. If neither
56 are set, the authentication fails. This module skips the configured
57 authentication method if the authentication method is set to none.
58 The following options can be passed to the LDAP service module:
61 debug syslog(3C) debugging information at LOG_DEBUG level.
63 nowarn Turn off warning messages.
66 These options are case sensitive and must be used exactly as presented
70 here.
71 LDAP Account Management Module
73 The LDAP account management module validates the user's account. The
74 pam_sm_acct_mgmt(3PAM) function authenticates to the LDAP server to
75 verify that the user's password has not expired, or that the user's
76 account has not been locked. In the event that there is no user authen‐
77 tication token (PAM_AUTHTOK) available, the pam_sm_acct_mgmt(3PAM)
78 function attempts to retrieve the user's account status without authen‐
79 ticating to the LDAP server as the user logging in. This procedure will
80 succeed only if the LDAP server is Sun Java System Directory server 5.2
81 patch 4 or newer. The following options can be passed to the LDAP ser‐
82 vice module:
83 debug syslog(3C) debugging information at LOG_DEBUG level.
85 nowarn Turn off warning messages.
88 These options are case sensitive, and the options must be used exactly
92 as presented here.
93 LDAP Password Management Module
95 LDAP password management is no longer supported by pam_ldap. Use
96 pam_authtok_store(5) instead of pam_ldap for password change. pam_auth‐
97 tok_store(5) handles both the local and LDAP accounts and updates the
98 passwords in all the repositories configured by nsswitch.conf(4).
99
101 The authentication service returns the following error codes:
102 PAM_SUCCESS The uthentication was successful.
104 PAM_MAXTRIES The maximum number of authentication attempts was
107 exceeded.
108 PAM_AUTH_ERR The authentication failed.
111 PAM_USER_UNKNOWN No account is present for the user.
114 PAM_BUF_ERR A memory buffer error occurred.
117 PAM_SYSTEM_ERR A system error occurred.
120 PAM_IGNORE The user's account was inactivated.
123 The account management service returns the following error codes:
127 PAM_SUCCESS The user was allowed access to the account.
129 PAM_NEW_AUTHTOK_REQD A new authentication token is required.
132 PAM_ACCT_EXPIRED The user account has expired.
135 PAM_PERM_DENIED The user was denied access to the account at
138 this time.
139 PAM_USER_UNKNOWN No account is present for the user.
142 PAM_BUF_ERROR A memory buffer error occurred.
145 PAM_SYSTEM_ERR A system error occurred.
148
151 Example 1 Using pam_ldap With Authentication
152 The following is a configuration for the login service when using
155 pam_ldap. The service name login can be substituted for any other
156 authentication service such as dtlogin or su. Lines that begin with the
157 # symbol are comments and are ignored.
158 # Authentication management for login service is stacked.
161 # If pam_unix_auth succeeds, pam_ldap is not invoked.
162 # The control flag "binding" provides a local overriding
163 # remote (LDAP) control. The "server_policy" option is used
164 # to tell pam_unix_auth.so.1 to ignore the LDAP users.
165 login auth requisite pam_authtok_get.so.1
167 login auth required pam_dhkeys.so.1
168 login auth required pam_unix_cred.so.1
169 login auth binding pam_unix_auth.so.1 server_policy
170 login auth required pam_ldap.so.1
171 Example 2 Using pam_ldap With Account Management
174 The following is a configuration for account management when using
177 pam_ldap. Lines that begin with the # symbol are comments and are
178 ignored.
179 # Account management for all services is stacked
182 # If pam_unix_account succeeds, pam_ldap is not invoked.
183 # The control flag "binding" provides a local overriding
184 # remote (LDAP) control. The "server_policy" option is used
185 # to tell pam_unix_account.so.1 to ignore the LDAP users.
186 other account requisite pam_roles.so.1
188 other account binding pam_unix_account.so.1 server_policy
189 other account required pam_ldap.so.1
190 Example 3 Using pam_authtok_store With Password Management For Both
193 Local and LDAP Accounts
194 The following is a configuration for password management when using
197 pam_authtok_store. Lines that begin with the # symbol are comments and
198 are ignored.
199 # Password management (authentication)
202 # The control flag "binding" provides a local overriding
203 # remote (LDAP) control. The server_policy option is used
204 # to tell pam_passwd_auth.so.1 to ignore the LDAP users.
205 passwd auth binding pam_passwd_auth.so.1 server_policy
207 passwd auth required pam_ldap.so.1
208 # Password management (updates)
210 # This updates passwords stored both in the local /etc
211 # files and in the LDAP directory. The "server_policy"
212 # option is used to tell pam_authtok_store to
213 # follow the LDAP server's policy when updating
214 # passwords stored in the LDAP directory
215 other password required pam_dhkeys.so.1
217 other password requisite pam_authtok_get.so.1
218 other password requisite pam_authtok_check.so.1
219 other password required pam_authtok_store.so.1 server_policy
220
223 /var/ldap/ldap_client_file The LDAP configuration files of the
224 /var/ldap/ldap_client_cred client. Do not manually modify these
225 files, as these files might not be human
226 readable. Use ldapclient(1M) to update
227 these files.
228 /etc/pam.conf PAM configuration file.
231
234 See attributes(5) for descriptions of the following attributes:
235 ┌─────────────────────────────┬─────────────────────────────┐
240 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
241 ├─────────────────────────────┼─────────────────────────────┤
242 │Interface Stability │Evolving │
243 ├─────────────────────────────┼─────────────────────────────┤
244 │MT-Level │MT-Safe with exceptions │
245 └─────────────────────────────┴─────────────────────────────┘
246
248 ldap(1), idsconfig(1M), ldap_cachemgr(1M), ldapclient(1M), lib‐
249 pam(3LIB), pam(3PAM), pam_sm_acct_mgmt(3PAM), pam_sm_authenti‐
250 cate(3PAM), pam_sm_chauthtok(3PAM), pam_sm_close_session(3PAM),
251 pam_sm_open_session(3PAM), pam_sm_setcred(3PAM), syslog(3C),
252 pam.conf(4), attributes(5), pam_authtok_check(5), pam_authtok_get(5),
253 pam_authtok_store(5), pam_passwd_auth(5), pam_unix_account(5),
254 pam_unix_auth(5)
255
257 The interfaces in libpam(3LIB) are MT-Safe only if each thread within
258 the multi-threaded application uses its own PAM handle.
259 The previously supported use_first_pass and try_first_pass options are
262 obsolete in this version, are no longer needed, can safely be removed
263 from pam.conf(4), and are silently ignored. They might be removed in a
264 future release. Password prompting must be provided for by stacking
265 pam_authtok_get(5) before pam_ldap in the auth and password module
266 stacks and pam_passwd_auth(5) in the passwd service auth stack (as
267 described in the EXAMPLES section). The previously supported password
268 update function is replaced in this release by the previously recom‐
269 mended use of pam_authtok_store with the server_policy option (as
270 described in the EXAMPLES section).
271 The functions: pam_sm_setcred(3PAM), pam_sm_chauthtok(3PAM),
274 pam_sm_open_session(3PAM), and pam_sm_close_session(3PAM) do nothing
275 and return PAM_IGNORE in pam_ldap.
276SunOS 5.11 21 Dec 2005 pam_ldap(5)