System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

pam_ldap Service Module

When implementing pam_ldap, the user binds to the LDAP server by using the authentication method defined in pam_ldap's serviceAuthenticationMethod parameter, if one exists. Otherwise, authenticationMethod is used.

If pam_ldap is able to bind to the server with the user's identity and supplied password, it authenticates the user.

Note –

Previously, if you enabled pam_ldap account management, all users needed to provide a login password for authentication any time they logged in to the system. Therefore, nonpassword-based logins using tools such as rsh, rlogin, or ssh would fail.

Now, however, pam_ldap(5), when used with Sun Java System Directory Servers DS5.2p4 and newer releases, enables users to log in with rsh, rlogin, rcp and ssh without giving a password.

pam_ldap(5) is now modified to perform account management and retrieve the account status of users without authenticating to Directory Server as the user logging in. The new control to this on Directory Server is, which is enabled by default.

To modify this control for other than default, add Access Control Instructions (ACI) on Directory Server:

dn: oid=,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; 
     allow (read, search, compare, proxy)
     (groupdn = "ldap:///cn=Administrators,cn=config");)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config

pam_ldap does not read the userPassword attribute. Therefore, there is no need to grant access to read the userPassword attribute unless there are other clients using pam_unix. Also, pam_ldap does not support the none authentication method. Thus, you must define the serviceAuthenticationMethod or the authenticationMethod attributes so clients can use pam_ldap. See the pam_ldap(5) man page for more information.

Caution – Caution –

If the simple authentication method is used, the userPassword attribute can be read on the wire by third parties.

See Example pam.conf File for pam_ldap.

The following table summarizes the main differences between pam_unix, pam_ldap, and pam_krb5.

Table 9–5 Authentication Behavior in LDAP With pam_unix, pam_ldap, and pam_krb5





Password Sent  

Uses passwd service authentication method

Uses passwd service authentication method

Uses Kerberos single sign on technology, not passwords 

New Password Sent 


No encryption (unless TLS is used) 

Uses Kerberos, no passwords are sent over the wire 

New Password Stored 

crypt format

Password storage scheme defined on Sun Java System Directory Server 

Passwords are managed by Kerberos 

Requires password read? 




sasl/digest-MD5 compatibility after changing password

No. Password is not stored in clear. User cannot authenticate.

Yes. As long as default storage scheme is set to clear, user can authenticate.

No. sasl/GSSAPI is used. There are no passwords over the wire and there are no passwords to be stored in the directory server, except when using a Kerberos kdc that manages its password database in the LDAP directory server.

Password policy supported? 

Yes. enableShadowUpdate must be set to true.

Yes, if so configured. 

See pam_krb5(5), Kerberos V5 Account Management Module.