pam_ldap(5)pam_ldap(5)NAMEpam_ldap - authentication, account, session, and password management
PAM modules for LDAP
SYNOPSISDESCRIPTION
The LDAP service module for PAM, provides functionality for all four
PAM modules: authentication, account management, session management and
password management.
The module is a shared object that can be dynamically loaded to provide
the necessary functionality upon demand. Its path is specified in the
PAM configuration file.
LDAP Authentication Module
The LDAP authentication component provides functions to verify the
identity of a user, and to set user specific credentials
compares the user entered password with the password from LDAP direc‐
tory server. If the passwords match, the user is authenticated.
The following options may be passed to the LDAP service module:
debugging information at level. See syslog(3C).
Turn off warning messages.
Compares the password in the password database with the user's initial
password (entered when the user authenticated to the first
authentication module in the stack). If the passwords do not
match, or if no password has been entered, quit and do not
prompt the user for a password.
This option should only be used if the authentication service is
designated as in the configuration file.
Compares the password in the password database with the user's initial
password (entered when the user authenticated to the first
authentication module in the stack). If the passwords do not
match, or if no password has been entered, prompt the user for a
password.
This flag will force
authentication module to return instead of for users not found
in the ldap repository. It should only be set if in
pam_hpsec(5) is enabled for local users and is configured in the
configuration file after
Discovers if the account name specified exists in the /etc/passwd file
or an account entry with the matching name in the LDAP directory
has a uid number that matches an account in the /etc/passwd
file. If either of the above conditions is true, PAM_IGNORE is
returned. Otherwise the appropriate authentication status is
returned.
Returns
This option is not intended to be specified in the pam.conf(4)
file. But may be used in the pam_user.conf(4) file to specify
that PAM_LDAP should ignore specific user names.
When prompting for the current password, the LDAP authentication module
will use the prompt:
The function sets user specific credentials. In the case of LDAP, this
is a NULL function.
LDAP Account Management Module
The LDAP account management component provides a function to perform
account management The function retrieves data from the pam header
which was set during authentication which would indicate if the pass‐
word has expired on the directory server.
debugging information at level.
Turn off warning messages.
Some versions of HP-UX require this option for
such as rlogin(1), to work with PAM.
Warning: Enabling the option could allow users with active
accounts on a remote host to to the local host on to a disabled
account.
Discovers if the account name specified exists in the /etc/passwd file
or an account entry with the matching name in the LDAP directory
has a uid number that matches an account in the /etc/passwd
file. If either of the above conditions is true, PAM_IGNORE is
returned. Otherwise the appropriate account management status
is returned.
Returns
This option is not intended to be specified in the pam.conf(4)
file. But may be used in the pam_user.conf(4) file to specify
that PAM_LDAP should ignore specific user names.
LDAP Session Management Module
The LDAP session management component provides functions to initiate
and terminate LDAP sessions. For LDAP, is a NULL funtion. The follow‐
ing options may be passed in to the LDAP service module:
debugging information at level.
Turn off warning messages.
Returns
This option is not intended to be specified in the pam.conf(4)
file. But may be used in the pam_user.conf(4) file to specify
that PAM_LDAP should ignore specific user names.
is a NULL function.
LDAP Password Management Module
The LDAP password management component provides a function to change
passwords in the LDAP directory server. This module must be in It can
not be or The following options may be passed in to the LDAP service
module:
debugging information at level.
Turn off warning messages.
Compares the password in the password database with the user's old
password (entered to the first password module in the stack).
If the passwords do not match, or if no password has been
entered, quit and do not prompt the user for the old password.
It also attempts to use the new password (entered to the first
password module in the stack) as the new password for this mod‐
ule. If the new password fails, quit and do not prompt the user
for a new password.
Compares the password in the password database with the user's old
password (entered to the first password module in the stack).
If the passwords do not match, or if no password has been
entered, prompt the user for the old password. It also attempts
to use the new password (entered to the first password module in
the stack) as the new password for this module. If the new
password fails, prompt the user for a new password.
Returns
This option is not intended to be specified in the pam.conf(4)
file. But may be used in the pam_user.conf(4) file to specify
that PAM_LDAP should ignore specific user names.
If the user's password has expired, the LDAP account module saves this
information in the authentication handle using The LDAP password module
retrieves this information from the authentication handle using to
determine whether or not to force the user to update their password.
SEE ALSOpam(3), pam_authenticate(3), pam_setcred(3), syslog(3C), pam.conf(4),
pam_user.conf(4), ldapux(5).
pam_ldap(5)