pam_ldap.5 (2010 09)
p
pam_ldap(5) pam_ldap(5)
nowarn Turn off warning messages.
rcommand Some versions of HP-UX require this option for
r-command, such as rlogin (1),
to work with PAM.
Warning: Enabling the
rcommand option could allow users with active
accounts on a remote host to
rlogin
to the local host on to a disabled
account.
deny_local Discovers if the account name specified exists in the /etc/passwd file or an
account entry with the matching name in the LDAP directory has a uid
number that matches an account in the /etc/passwd file. If either of the above
conditions is true, PAM_IGNORE is returned. Otherwise the appropriate
account management status is returned.
ignore Returns PAM_IGNORE. This option is not intended to be specified in the
pam.conf (4) file. But may be used in the pam_user.conf(4) file to specify that
PAM_LDAP should ignore specific user names.
LDAP Session Management Module
The LDAP session management component provides functions to initiate (
pam_sm_open_session()
)
and terminate (
pam_sm_close_session()
) LDAP sessions. For LDAP, pam_open_session()
is
a NULL funtion. The following options may be passed in to the LDAP service module:
debug syslog() debugging information at LOG_DEBUG level.
nowarn Turn off warning messages.
ignore Returns PAM_IGNORE. This option is not intended to be specified in the
pam.conf (4) file. But may be used in the pam_user.conf(4) file to specify that
PAM_LDAP should ignore specific user names.
pam_close_session
is a NULL function.
LDAP Password Management Module
The LDAP password management component provides a function to change passwords
(
pam_sm_chauthtok()
) in the LDAP directory server. This module must be required in
pam.conf. It can not be optional or sufficient. The following options may be passed in to the
LDAP service module:
debug syslog() debugging information at LOG_DEBUG level.
nowarn Turn off warning messages.
use_first_pass Compares the password in the password database with the user’s old password
(entered to the first password module in the stack). If the passwords do not
match, or if no password has been entered, quit and do not prompt the user for
the old password. It also attempts to use the new password (entered to the
first password module in the stack) as the new password for this module. If
the new password fails, quit and do not prompt the user for a new password.
try_first_pass Compares the password in the password database with the user’s old password
(entered to the first password module in the stack). If the passwords do not
match, or if no password has been entered, prompt the user for the old pass-
word. It also attempts to use the new password (entered to the first password
module in the stack) as the new password for this module. If the new pass-
word fails, prompt the user for a new password.
ignore Returns PAM_IGNORE. This option is not intended to be specified in the
pam.conf (4) file. But may be used in the pam_user.conf(4) file to specify that
PAM_LDAP should ignore specific user names.
If the user’s password has expired, the LDAP account module saves this information in the authentication
handle using
pam_set_data(). The LDAP password module retrieves this information from the
authentication handle using pam_get_data() to determine whether or not to force the user to update
their password.
2 Hewlett-Packard Company − 2 − HP-UX 11i v3: June 2010 Web Release