Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > P

pam_ldap(5)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

NAME

pam_ldap — authentication, account, session, and password management PAM modules for LDAP

SYNOPSIS

/usr/lib/security/$ISA/libpam_ldap.so.1

DESCRIPTION

The LDAP service module for PAM, /usr/lib/security/$ISA/libpam_ldap.so.1, provides functionality for all four PAM modules: authentication, account management, session management and password management.

The libpam_ldap.so.1 module is a shared object that can be dynamically loaded to provide the necessary functionality upon demand. Its path is specified in the PAM configuration file.

LDAP Authentication Module

The LDAP authentication component provides functions to verify the identity of a user, (pam_sm_authenticate()) and to set user specific credentials (pam_sm_setcred()).

pam_sm_authenticate() compares the user entered password with the password from LDAP directory server. If the passwords match, the user is authenticated.

The following options may be passed to the UNIX service module:

debug

syslog() debugging information at LOG_DEBUG level. See syslog(3C).

nowarn

Turn off warning messages.

use_first_pass

Compares the password in the password database with the user's initial password (entered when the user authenticated to the first authentication module in the stack). If the passwords do not match, or if no password has been entered, quit and do not prompt the user for a password.

This option should only be used if the authentication service is designated as optional in the pam.conf configuration file.

try_first_pass

Compares the password in the password database with the user's initial password (entered when the user authenticated to the first authentication module in the stack). If the passwords do not match, or if no password has been entered, prompt the user for a password.

ignore_unknown

This flag will force pam_ldap's authentication module to return PAM_IGNORE instead of PAM_USER_UNKNOWN for users not found in the ldap repository. It should only be set if AUTH_MAXTRIES in pam_hpsec(5) is enabled for local users and pam_ldap is configured in the pam.conf configuration file after pam_unix.

When prompting for the current password, the LDAP authentication module will use the prompt: Password:.

The pam_sm_setcred() function sets user specific credentials. In the case of LDAP, this is a NULL function.

LDAP Account Management Module

The LDAP account management component provides a function to perform account management (pam_sm_acct_mgmt()). The function retrieves data from the pam header which was set during authentication which would indicate if the password has expired on the directory server.

debug

syslog() debugging information at LOG_DEBUG level.

nowarn

Turn off warning messages.

rcommand

Some versions of HP-UX require this option for r-command, such as rlogin(1), to work with PAM.

Warning: Enabling the rcommand option could allow users with active accounts on a remote host to rlogin to the local host on to a disabled account.

LDAP Session Management Module

The LDAP session management component provides functions to initiate (pam_sm_open_session()) and terminate (pam_sm_close_session()) LDAP sessions. For LDAP, pam_open_session() is a NULL funtion. The following options may be passed in to the LDAP service module:

debug

syslog() debugging information at LOG_DEBUG level.

nowarn

Turn off warning messages.

pam_close_session is a NULL function.

LDAP Password Management Module

The LDAP password management component provides a function to change passwords (pam_sm_chauthtok()) in the LDAP directory server. This module must be required in pam.conf. It can not be optional or sufficient. The following options may be passed in to the LDAP service module:

debug

syslog() debugging information at LOG_DEBUG level.

nowarn

Turn off warning messages.

use_first_pass

Compares the password in the password database with the user's old password (entered to the first password module in the stack). If the passwords do not match, or if no password has been entered, quit and do not prompt the user for the old password. It also attempts to use the new password (entered to the first password module in the stack) as the new password for this module. If the new password fails, quit and do not prompt the user for a new password.

try_first_pass

Compares the password in the password database with the user's old password (entered to the first password module in the stack). If the passwords do not match, or if no password has been entered, prompt the user for the old password. It also attempts to use the new password (entered to the first password module in the stack) as the new password for this module. If the new password fails, prompt the user for a new password.

If the user's password has expired, the LDAP account module saves this information in the authentication handle using pam_set_data(). The LDAP password module retrieves this information from the authentication handle using pam_get_data() to determine whether or not to force the user to update their password.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.