pam_ldap.5 (2010 09)
p
pam_ldap(5) pam_ldap(5)
NAME
pam_ldap - authentication, account, session, and password management PAM modules for LDAP
SYNOPSIS
/usr/lib/security/$ISA/libpam_ldap.so.1
DESCRIPTION
The LDAP service module for PAM,
/usr/lib/security/$ISA/libpam_ldap.so.1
,provides
functionality for all four PAM modules: authentication, account management, session management and
password management.
The
libpam_ldap.so.1
module is a shared object that can be dynamically loaded to provide the
necessary functionality upon demand. Its path is specified in the PAM configuration file.
LDAP Authentication Module
The LDAP authentication component provides functions to verify the identity of a user,
(
pam_sm_authenticate()
) and to set user specific credentials (
pam_sm_setcred()
).
pam_sm_authenticate()
compares the user entered password with the password from LDAP direc-
tory server. If the passwords match, the user is authenticated.
The following options may be passed to the LDAP service module:
debug syslog() debugging information at LOG_DEBUG level. See syslog (3C).
nowarn Turn off warning messages.
use_first_pass Compares the password in the password database with the user’s initial pass-
word (entered when the user authenticated to the first authentication module
in the stack). If the passwords do not match, or if no password has been
entered, quit and do not prompt the user for a password.
This option should only be used if the authentication service is designated as
optional in the pam.conf configuration file.
try_first_pass Compares the password in the password database with the user’s initial pass-
word (entered when the user authenticated to the first authentication module
in the stack). If the passwords do not match, or if no password has been
entered, prompt the user for a password.
ignore_unknown This flag will force
pam_ldap’s authentication module to return
[PAM_IGNORE] instead of [PAM_USER_UNKNOWN] for users not found in
the ldap repository. It should only be set if
AUTH_MAXTRIES
in
pam_hpsec (5) is enabled for local users and
pam_ldap is configured in the
pam.conf configuration file after pam_unix.
deny_local Discovers if the account name specified exists in the /etc/passwd file or an
account entry with the matching name in the LDAP directory has a uid
number that matches an account in the /etc/passwd file. If either of the above
conditions is true, PAM_IGNORE is returned. Otherwise the appropriate
authentication status is returned.
ignore Returns PAM_IGNORE. This option is not intended to be specified in the
pam.conf (4) file. But may be used in the pam_user.conf(4) file to specify that
PAM_LDAP should ignore specific user names.
When prompting for the current password, the LDAP authentication module will use the prompt:
Pass-
word:.
The
pam_sm_setcred() function sets user specific credentials. In the case of LDAP, this is a NULL
function.
LDAP Account Management Module
The LDAP account management component provides a function to perform account management
(
pam_sm_acct_mgmt()). The function retrieves data from the pam header which was set during
authentication which would indicate if the password has expired on the directory server.
debug syslog() debugging information at LOG_DEBUG level.
HP-UX 11i v3: June 2010 Web Release − 1 − Hewlett-Packard Company 1