NAME
pam_ldap — authentication, account, session, and password management PAM modules for LDAP
SYNOPSIS
/usr/lib/security/$ISA/libpam_ldap.so.1
DESCRIPTION
The LDAP service module for PAM,
/usr/lib/security/$ISA/libpam_ldap.so.1,
provides functionality for all four
PAM modules: authentication, account management, session management
and password management.
The
libpam_ldap.so.1
module is a shared object
that can be dynamically loaded to provide
the necessary functionality upon demand.
Its path is specified in the
PAM
configuration file.
LDAP Authentication Module
The LDAP authentication component
provides functions to verify the identity of a user,
(pam_sm_authenticate())
and to set user specific credentials
(pam_sm_setcred()).
pam_sm_authenticate()
compares the user entered password
with the password from LDAP directory server.
If the passwords match, the user is authenticated.
The following options may be passed to the UNIX service module:
- debug
syslog()
debugging information at
LOG_DEBUG
level.
See
syslog(3C).
- nowarn
Turn off warning messages.
- use_first_pass
Compares the password in the password database with the user's initial
password (entered when the user authenticated to the first authentication
module in the stack).
If the passwords do not match, or if no password
has been entered,
quit and do not prompt the user for a password.
This option should
only be used if the authentication service is designated as
optional
in the
pam.conf
configuration file.
- try_first_pass
Compares the password in the password database with the user's initial
password (entered when the user authenticated to the first authentication
module in the stack).
If the passwords do not match, or if no password
has been entered,
prompt the user for a password.
- ignore_unknown
This flag will force
pam_ldap's
authentication module to return
PAM_IGNORE
instead of
PAM_USER_UNKNOWN
for users not found in the ldap repository.
It should only be set if
AUTH_MAXTRIES
in
pam_hpsec
(see
pam_hpsec(5))
is enabled for local
users and
pam_ldap
is configured in the
pam.conf
configuration file after
pam_unix.
When prompting for the current password, the LDAP authentication
module will use the prompt:
Password:.
The
pam_sm_setcred()
function sets user specific credentials.
In the case of LDAP, this is a NULL function.
LDAP Account Management Module
The LDAP account management component
provides a function to perform account management
(pam_sm_acct_mgmt()).
The function
retrieves data from the pam header which was set during authentication
which would indicate if the password has expired on the directory server.
- debug
syslog()
debugging information at
LOG_DEBUG
level.
- nowarn
Turn off warning messages.
- rcommand
Some versions of HP-UX require this option for
r -command,
such as
rlogin
(see
rlogin(1))
to work with PAM.
Warning:
Enabling the
rcommand
option could allow users with active accounts on a remote host
to
rlogin
to the local host on to a disabled account.
LDAP Session Management Module
The LDAP session management component
provides functions to initiate
(pam_sm_open_session())
and terminate
(pam_sm_close_session())
LDAP sessions.
For LDAP,
pam_open_session()
is a NULL function.
The following options may be passed in to the LDAP service module:
- debug
syslog()
debugging information at
LOG_DEBUG
level.
- nowarn
Turn off warning messages.
pam_close_session
is a NULL function.
LDAP Password Management Module
The LDAP password management component
provides a function to change passwords
(pam_sm_chauthtok())
in the LDAP directory server.
This module must be
required
in
pam.conf.
It can not be
optional
or
sufficient.
The following options may be passed in to the LDAP service module:
- debug
syslog()
debugging information at
LOG_DEBUG
level.
- nowarn
Turn off warning messages.
- use_first_pass
Compares the password in the password database with the user's old
password (entered to the first password module in the stack).
If the passwords do not match, or if no password has been entered,
quit and do not prompt the user for the old password.
It also attempts
to use the new password (entered to the first password module in the stack)
as the new password for this module.
If the new password fails,
quit and do not prompt the user for a new password.
- try_first_pass
Compares the password in the password database with the user's old
password (entered to the first password module in the stack).
If the passwords do not match, or if no password has been entered,
prompt the user for the old password.
It also attempts to use the new password (entered to the first
password module in the stack) as the new password for this module.
If the new password fails,
prompt the user for a new password.
If the user's password has expired, the LDAP account module saves
this information in the authentication handle using
pam_set_data().
The LDAP password module retrieves this information
from the authentication handle using
pam_get_data()
to determine whether or not to force the
user to update their password.