The
pam_ldap
module is a Pluggable Authentication Module (PAM) which provides
for authentication, authorization and password changing against
LDAP
servers.
Features of the PADL pam_ldap module include support for transport layer
security, SASL authentication, directory server-enforced password policy,
and host- and group- based logon authorization.
The present version of
pam_ldap
supports AIX 5L, FreeBSD 3.x and above, HP-UX 11i, IRIX 6.x, Linux,
Mac OS X 10.2 and above, and Solaris 2.6 and above. Many vendors provide
their own LDAP authentication providers, often also called pam_ldap.
This manual page applies to the
PADL
pam_ldap
module only. If you are using a vendor provided module, consult the
relevant documentation instead.
When authenticating or authorizing a user,
pam_ldap
first maps the user's login name to a distinguished name by searching
the directory server. This must be possible using the local system's
identity, specified in ldap.conf. (Note that presently only simple
authentication is supported for authenticating in this initial step.)
To authenticate a user,
pam_ldap
attempts to bind to the directory server using the distinguished name
of the user (retrieved previously). Both simple and SASL authentication
mechanisms are supported; in the former case, one should take care to
use transport security to prevent the user's password being transmitted
in the clear.
A variety of authorization primitives are supported by
pam_ldap,
discussed in the configuration section below.
Finally,
pam_ldap
supports a number of password change protocols used by directory servers
from various vendors. (Some directory servers support
more than one password change protocol.)
Whilst
pam_ldap
is generally configured in the system LDAP naming configuration file
(ldap.conf), some options can be configured in the PAM configuration
file, to allow for per-service granularity. These options include
the path to the LDAP naming configuration file to use, so in effect
all options can be configured on a per-service basis. Options are
listed below under PAM Configuration.
CONFIGURATION
pam_ldap
stores its configuration in the
ldap.conf
file. (It should be noted that some LDAP client libraries, such as
OpenLDAP, also use a configuration file of the same name.
pam_ldap
supports many of the same configuration file options as OpenLDAP,
but it adds several that are specific to the functionality it provides.
It is not guaranteed that
pam_ldap
will continue to match the configuration file semantics of OpenLDAP.
You may wish to use different files.)
Configuration file options consist of a keyword followed by a
space and any arguments. The following options are supported by
both
pam_ldap
and the PADL
nss_ldap
module:
host <name:port ...>
Specifies the name(s) or IP address(es) of the
LDAP
server(s) to connect to. In the case that
nss_ldap
is used for host name resolution, each server should be specified as an
IP address or name that can be resolved without using
LDAP.
Multiple servers may be specified, each separated by a space.
The failover time depends on whether the
LDAP
client library supports configurable network or connect timeouts
(see
bind_timelimit
below).
base <base>
Specifies the default base distinguished name (DN) to use for searches.
uri <ldap[is]://[name[:port]] ...>
For
LDAP
client libraries that support it, specifies the URI(s) of the LDAP
server(s) to connect to. The URI scheme may be
ldap,ldapi,
or
ldaps,
specifying LDAP over TCP, IPC and SSL respectively. If applicable,
a port number can be specified; the default port number for the
selected protocol is used if omitted. This option takes
precedence over the
host
option; it is not possible to combine the two.
ldap_version <version>
Specifies the version of the
LDAP
protocol to use. Presently
version
must be 2 or 3. The default is to use the maximum version supported
by the client library.
binddn <binddn>
Specifies the distinguished name with which to bind to the directory
server(s). This option is optional; the default is to bind
anonymously.
bindpw <bindpw>
Specifies the cleartext credentials with which to bind. This option
is only applicable when used with
binddn
above. The default is no credential (anonymous bind). When binding to
the directory using
SASL
or other authentication mechanisms apart from simple binds, this
option is not used.
rootbinddn <binddn>
This option has the same syntax and effect as the
binddn
option above, except it applies when the effective user ID is
zero. If not specified, then the identity specified in
binddn
is used instead. Because the configuration file may be readable by
many users, the root bind DN credentials are stored in the
ldap.secret
file instead. This file is usually in the same directory as the
configuration file.
port <port>
Specifies the port to connect to; this option is used with the
host
option, and is ignored with the
uri
option.
scope <sub|one|base>
Specifies the search scope (subtree, one level or base object). The
default scope is subtree; base scope is almost never useful for
nameservice lookups.
deref <never|searching|finding|always>
Specifies the policy for dereferencing aliases. The default policy is
to never dereference aliases.
timelimit <timelimit>
Specifies the time limit (in seconds) to use when performing searches. A value
of zero (0), which is the default, is to wait indefinitely for
searches to be completed.
bind_timelimit <timelimit>
Specifies the time limit (in seconds) to use when connecting to the directory
server. This is distinct from the time limit specified in
timelimit
and affects the initial server connection only. (Server connections
are otherwise cached.) Only some
LDAP
client libraries have the underlying functionality necessary to
support this option. The default bind timelimit is 30 seconds.
referrals <yes|no>
Specifies whether automatic referral chasing should be enabled. The
default behaviour is specifed by the
LDAP
client library.
restart <yes|no>
Specifies whether the
LDAP
client library should restart the
select(2)
system call when interrupted. This feature is not supported by all
client libraries.
logdir <directory>
Specifies the directory used for logging by the
LDAP
client library. This feature is not supported by all client
libraries.
debug <level>
Specifies the debug level used for logging by the
LDAP
client library. This feature is not supported by all client
libraries, and does not apply to the
nss_ldap
and
pam_ldap
modules themselves (debugging, if any, is configured separately
and usually at compile time).
ssl <on|off|start_tls>
Specifies whether to use SSL/TLS or not (the default is not to). If
start_tls
is specified then StartTLS is used rather than raw LDAP over SSL.
Not all
LDAP
client libraries support both SSL and StartTLS, and all related
configuration options.
sslpath <cert7_path>
For the Netscape and Mozilla
LDAP
client libraries only, this specifies the path to the X.509
certificate database.
tls_checkpeer <yes|no>
Specifies whether to require and verify the server certificate
or not, when using SSL/TLS with the OpenLDAP client library.
The default is to use the default behaviour of the client
library; for OpenLDAP 2.0 and earlier it is "no", for OpenLDAP
2.1 and later it is "yes". At least one of
tls_cacertdir
and
tls_cacertfile
is required if peer verification is enabled.
tls_cacertdir <certificate_dir>
Specifies the directory containing X.509 certificates for peer
authentication.
tls_cacertfile <certificate_file>
Specifies the path to the X.509 certificate for peer authentication.
tls_randfile <entropy_file>
Specifies the path to an entropy source.
tls_ciphers <ciphers>
Specifies the ciphers to use for TLS. See your TLS implementation's
documentation for further information.
tls_cert <certificate_file>
Specifies the path to the file containing the local certificate for
client TLS authentication.
tls_key <key_file>
Specifies the path to the file containing the private key for client
TLS authentication.
The following configuration options apply to pam_ldap only:
pam_login_attribute <attribute>
Specifies the attribute to use when constructing the attribute value
assertion for retrieving a directory entry for a user's login name.
The default is "uid", for compatibility with RFC 2307.
pam_filter <filter>
Specifies a filter to use when retrieving user information. The user
entry must match the attribute value assertion of
(pam_login_attribute=login_name) as well as any filter specified
here. There is no default for this option.
pam_lookup_policy <yes|no>
Specifies whether to search the root DSE for password policy. The
default is "no".
pam_check_host_attr <yes|no>
Specifies whether the "host" attribute should be checked for logon
authorization ("account" in the PAM stack). The default is not to.
If set to "yes" and a user has no
value for the "host" attribute, then the user will be unable to
login.
pam_check_service_attr <yes|no>
Specifies whether the "authorizedService" attribute should be checked
for logon authorization ("account" in the PAM stack). The default is not
to. If set to "yes" and a user has no value for the "authorizedService"
attribute, then the user will be unable to login.
pam_groupdn <groupdn>
Specifies the distinguished name of a group to which a user must belong
for logon authorization to succeed.
pam_member_attribute <attribute>
Specifies the attribute to use when testing a user's membership of a
group specified in the
pam_groupdn
option.
pam_min_uid <uid>
If specified, a user must have a POSIX user ID of at least
uid
in order for logon authorization to succeed.
pam_max_uid <uid>
If specified, a user must have a POSIX user ID of no greater than
uid
in order for logon authorization to succeed.
pam_template_login_attribute <attribute>
When using template users (not supported by all PAM applications),
specifies the attribute containing the user's actual login name.
The
pam_ldap
module will set PAM_USER to the value of this attribute if present in the
user's entry, otherwise it defaults to the user specified in the
pam_template_login
option.
pam_template_login <user>
When using template users (not supported by all PAM applications),
pam_ldap
will set PAM_USER to the value of this option if the user does not
contain a template login attribute.
pam_password <protocol>
Specifies the password change protocol to use. The following protocols
are supported:
clear
Change password using an LDAPModify request, replacing the userPassword
value with the new cleartext password.
clear_remove_old
Change password using an LDAPModify request, first removing the userPassword
value containing the old cleartext password, and then adding the userPassword
value with the new cleartext password. This protocol is necessary for use
with Novell NDS and IBM RACF.
crypt
Change password using an LDAPModify request, first generating a one way
hash of the new password using
crypt(3)
and then replacing userPassword value with the new hashed password.
md5
Change password using an LDAPModify request, first generating a one way
hash of the new password using MD5 and then replacing userPassword value
with the new hashed password.
nds
This is an alias for
clear_remove_old.
racf
This is an alias for
clear_remove_old.
ad
Change password using an LDAPModify request, using the Active Directory
Services Interface (ADSI) password change protocol.
exop
Change password using the RFC 3062 password modify extended operation
(only the new password is sent).
exop_send_old
Change password using the RFC 3062 password modify extended operation
(both the old and new passwords are sent).
pam_password_prohibit_message <message>
Specifies a message to send to users indicating that passwords cannot
be changed. This could be used to redirect users to another means of
changing passwords.
pam_sasl_mech <mechanism>
Specifies the SASL mechanism to use for PAM authentication. This
requires SASL libraries be installed. Support for this functionality
presently experimental and does not support password policy controls.
PAM CONFIGURATION
It is possible to configure some aspects of
pam_ldap
on a per-service basis, in the PAM configuration file (this is usually
/etc/pam.conf; for PAM implementations based on Linux-PAM, per-service
files in /etc/pam.d are also supported).
The following options may be specified as arguments to the
pam_ldap
module:
config=<path>
Specifies that
pam_ldap
should use the configuration file in
path
instead of ldap.conf to retrieve its global configuration. Configuring
multiple instances of
pam_ldap
for the same service with different configuration files is not supported,
because the configuration information is cached.
use_first_pass
Specifies that
pam_ldap
should always use the first password provided in the authentication
stack.
try_first_pass
Specifies that
pam_ldap
should first try the first password provided in the authentication
stack, and then prompt the user for their
LDAP
password if authentication fails.
ignore_unknown_user
Specifies that
pam_ldap
should return PAM_IGNORE for users that are not present in
LDAP.
This forces the PAM framework to ignore the
pam_ldap
module. This option is useful where certain accounts do not reside in
LDAP,
but one wishes to make
pam_ldap
"required" for all accounts in the directory. In this case one would
make both
pam_ldap
and the other module (for example, pam_unix) "required" and enable
the
ignore_unknown_user
option. (For this to work, the other module must behave similarly for
users in the directory; in the case of a module such as pam_unix that
uses the system accounts database, using
nss_ldap(5)
should be sufficient to meet this requirement.)
ignore_authinfo_unavail
Specifies that
pam_ldap
should return PAM_IGNORE if it cannot contact the
LDAP
server. This option forces the PAM framework to ignore the
pam_ldap
module in this case.
no_warn
Specifies that warning messages should not be propagated to the PAM
application.
use_authtok
Analogous to
use_first_pass
for password changing only.
debug
This option is recognized by
pam_ldap
but is presently ignored.
AUTHOR
The
pam_ldap
module was developed by PADL Software Pty Ltd (www.padl.com).