HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)
p
pam_ldap(5) pam_ldap(5)
NAME
pam_ldap - authentication, account, session, and password management PAM modules for LDAP
SYNOPSIS
/usr/lib/security/$ISA/libpam_ldap.so.1
DESCRIPTION
The LDAP service module for PAM,
/usr/lib/security/$ISA/libpam_ldap.so.1
,provides
functionality for all four PAM modules: authentication, account management, session management and
password management.
The
libpam_ldap.so.1
module is a shared object that can be dynamically loaded to provide the neces-
sary functionality upon demand. Its path is specified in the PAM configuration file.
LDAP Authentication Module
The LDAP authentication component provides functions to verify the identity of a user,
(
pam_sm_authenticate()
) and to set user specific credentials (
pam_sm_setcred()
).
pam_sm_authenticate()
compares the user entered password with the password from LDAP direc-
tory server. If the passwords match, the user is authenticated.
The following options may be passed to the UNIX service module:
debug syslog() debugging information at LOG_DEBUG level. See syslog(3C).
nowarn Turn off warning messages.
use_first_pass Compares the password in the password database with the user’s initial pass-
word (entered when the user authenticated to the first authentication module in
the stack). If the passwords do not match, or if no password has been entered,
quit and do not prompt the user for a password.
This option should only be used if the authentication service is designated as
optional in the pam.conf configuration file.
try_first_pass Compares the password in the password database with the user’s initial pass-
word (entered when the user authenticated to the first authentication module in
the stack). If the passwords do not match, or if no password has been entered,
prompt the user for a password.
ignore_unknown This flag will force
pam_ldap’s authentication module to return
[PAM_IGNORE] instead of [PAM_USER_UNKNOWN] for users not found in the
ldap repository. It should only be set if
AUTH_MAXTRIES
in pam_hpsec(5) is
enabled for local users and
pam_ldap is configured in the pam.conf
configuration file after pam_unix.
When prompting for the current password, the LDAP authentication module will use the prompt:
Pass-
word:
.
The pam_sm_setcred()
function sets user specific credentials. In the case of LDAP, this is a NULL
function.
LDAP Account Management Module
The LDAP account management component provides a function to perform account management
(
pam_sm_acct_mgmt()). The function retrieves data from the pam header which was set during
authentication which would indicate if the password has expired on the directory server.
debug syslog() debugging information at LOG_DEBUG level.
nowarn Turn off warning messages.
rcommand Some versions of HP-UX require this option for r-command, such as rlogin(1), to
work with PAM.
Warning: Enabling the rcommand option could allow users with active
accounts on a remote host to rlogin to the local host on to a disabled account.
LDAP Session Management Module
The LDAP session management component provides functions to initiate (pam_sm_open_session())
and terminate (pam_sm_close_session()) LDAP sessions. For LDAP, pam_open_session() is
352 Hewlett-Packard Company − 1 − HP-UX 11i Version 3: February 2007