Authentication and Services

The authentication method can be specified for a given service in the serviceAuthenticationMethod attribute. The following services currently support this.

• passwd-cmd

  This service is used by passwd(1) to change the login password and password attributes.

• keyserv

  This service is used by the chkey(1) and newkey(1M) utilities to create and change a user's Diffie-Hellman key pair.

• pam_ldap

  This service is used for authenticating users with pam_ldap(5).

  pam_ldap supports account management.

If the service does not have a serviceAuthenticationMethod set, it will default to the value of the authenticationMethod attribute.

In per-user mode, pam_krb5 Service Module (pam Kerberos) is used as the authentication service. ServiceAuthenticationMethod is not needed in this mode of operation.

If the enableShadowUpdate switch is set to true, the ldap_cachemgr daemon binds to the LDAP server by using the authentication method that is defined in the serviceAuthenticationMethod parameter of passwd-cmd, if the method is defined. Otherwise, authenticationMethod is used. The daemon will not use the none authentication method.

The following example shows a section of a client profile in which the users will use sasl/digest-MD5 to authenticate to the directory server, but will use an SSL session to change their password.

serviceAuthenticationMethod=pam_ldap:sasl/digest-MD5
serviceAuthenticationMethod=passwd-cmd:tls:simple