pam_ldap (5) - Linux Man Pages
pam_ldap: LDAP pluggable authentication module
pam_ldap - LDAP pluggable authentication module
DESCRIPTIONThe pam_ldap module is a Pluggable Authentication Module (PAM) which provides for authentication, authorization and password changing against LDAP servers.
Features of the PADL pam_ldap module include support for transport layer security, SASL authentication, directory server-enforced password policy, and host- and group- based logon authorization.
The present version of pam_ldap supports AIX 5L, FreeBSD 3.x and above, HP-UX 11i, IRIX 6.x, Linux, Mac OS X 10.2 and above, and Solaris 2.6 and above. Many vendors provide their own LDAP authentication providers, often also called pam_ldap. This manual page applies to the PADL pam_ldap module only. If you are using a vendor provided module, consult the relevant documentation instead.
When authenticating or authorizing a user, pam_ldap first maps the user's login name to a distinguished name by searching the directory server. This must be possible using the local system's identity, specified in ldap.conf. (Note that presently only simple authentication is supported for authenticating in this initial step.)
To authenticate a user, pam_ldap attempts to bind to the directory server using the distinguished name of the user (retrieved previously). Both simple and SASL authentication mechanisms are supported; in the former case, one should take care to use transport security to prevent the user's password being transmitted in the clear.
A variety of authorization primitives are supported by pam_ldap, discussed in the configuration section below.
Finally, pam_ldap supports a number of password change protocols used by directory servers from various vendors. (Some directory servers support more than one password change protocol.)
Whilst pam_ldap is generally configured in the system LDAP naming configuration file (ldap.conf), some options can be configured in the PAM configuration file, to allow for per-service granularity. These options include the path to the LDAP naming configuration file to use, so in effect all options can be configured on a per-service basis. Options are listed below under PAM Configuration.
CONFIGURATIONpam_ldap stores its configuration in the ldap.conf file. (It should be noted that some LDAP client libraries, such as OpenLDAP, also use a configuration file of the same name. pam_ldap supports many of the same configuration file options as OpenLDAP, but it adds several that are specific to the functionality it provides. It is not guaranteed that pam_ldap will continue to match the configuration file semantics of OpenLDAP. You may wish to use different files.)
Configuration file options consist of a keyword followed by a
space and any arguments. The following options are supported by
and the PADL
- Change password using an LDAPModify request, replacing the userPassword value with the new cleartext password.
- Change password using an LDAPModify request, first removing the userPassword value containing the old cleartext password, and then adding the userPassword value with the new cleartext password. This protocol is necessary for use with Novell NDS and IBM RACF.
- Change password using an LDAPModify request, first generating a one way hash of the new password using crypt(3) and then replacing userPassword value with the new hashed password.
- Change password using an LDAPModify request, first generating a one way hash of the new password using MD5 and then replacing userPassword value with the new hashed password.
- This is an alias for clear_remove_old.
- This is an alias for clear_remove_old.
- Change password using an LDAPModify request, using the Active Directory Services Interface (ADSI) password change protocol.
- Change password using the RFC 3062 password modify extended operation (only the new password is sent).
- Change password using the RFC 3062 password modify extended operation (both the old and new passwords are sent).
PAM CONFIGURATIONIt is possible to configure some aspects of pam_ldap on a per-service basis, in the PAM configuration file (this is usually /etc/pam.conf; for PAM implementations based on Linux-PAM, per-service files in /etc/pam.d are also supported).
The following options may be specified as arguments to the pam_ldap module:
- Specifies that pam_ldap should use the configuration file in path instead of ldap.conf to retrieve its global configuration. Configuring multiple instances of pam_ldap for the same service with different configuration files is not supported, because the configuration information is cached.
- Specifies that pam_ldap should always use the first password provided in the authentication stack.
- Specifies that pam_ldap should first try the first password provided in the authentication stack, and then prompt the user for their LDAP password if authentication fails.
- Specifies that pam_ldap should return PAM_IGNORE for users that are not present in LDAP. This forces the PAM framework to ignore the pam_ldap module. This option is useful where certain accounts do not reside in LDAP, but one wishes to make pam_ldap "required" for all accounts in the directory. In this case one would make both pam_ldap and the other module (for example, pam_unix) "required" and enable the ignore_unknown_user option. (For this to work, the other module must behave similarly for users in the directory; in the case of a module such as pam_unix that uses the system accounts database, using nss_ldap(5) should be sufficient to meet this requirement.)
- Specifies that pam_ldap should return PAM_IGNORE if it cannot contact the LDAP server. This option forces the PAM framework to ignore the pam_ldap module in this case.
- Specifies that warning messages should not be propagated to the PAM application.
- Analogous to use_first_pass for password changing only.
- This option is recognized by pam_ldap but is presently ignored.
AUTHORThe pam_ldap module was developed by PADL Software Pty Ltd (www.padl.com).
- /etc/ldap.conf, /etc/ldap.secret, /etc/pam.conf