Working With Oracle^® Solaris 11.3 Directory and Naming Services: LDAP

Configuring PAM for LDAP

The pam_ldap module is a PAM module option for LDAP to authenticate clients and to perform account management. If you configured the client profile's authentication mode as simple and the credential level as self, you must also enable the pam_krb module.

For more information, see:

• pam_ldap(5) man page

• pam_krb5(5) man page

• Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3

The following example shows a sample pam.conf file using the pam_ldap module for account management.

Example 6  Sample pam.conf File Using the pam_ldap Module for Account Management

This example displays a sample pam.conf file.

#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite        pam_authtok_get.so.1
login   auth required         pam_dhkeys.so.1
login   auth required         pam_unix_cred.so.1
login   auth required         pam_dial_auth.so.1
login   auth binding          pam_unix_auth.so.1 server_policy
login   auth required         pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient       pam_rhosts_auth.so.1
rlogin  auth requisite        pam_authtok_get.so.1
rlogin  auth required         pam_dhkeys.so.1
rlogin  auth required         pam_unix_cred.so.1
rlogin  auth binding          pam_unix_auth.so.1 server_policy
rlogin  auth required         pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient       pam_rhosts_auth.so.1
rsh     auth required         pam_unix_cred.so.1
rsh     auth binding          pam_unix_auth.so.1 server_policy
rsh     auth required         pam_ldap.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite        pam_authtok_get.so.1
ppp     auth required         pam_dhkeys.so.1
ppp     auth required         pam_dial_auth.so.1
ppp     auth binding          pam_unix_auth.so.1 server_policy
ppp     auth required         pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite        pam_authtok_get.so.1
other   auth required         pam_dhkeys.so.1
other   auth required         pam_unix_cred.so.1
other   auth binding          pam_unix_auth.so.1 server_policy
other   auth required         pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth binding          pam_passwd_auth.so.1 server_policy
passwd  auth required         pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required      pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite     pam_roles.so.1
other   account binding       pam_unix_account.so.1 server_policy
other   account required      pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required      pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required     pam_dhkeys.so.1
other   password requisite    pam_authtok_get.so.1
other   password requisite    pam_authtok_check.so.1
other   password required     pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

Configuring PAM to Use UNIX policy

The /etc/pam.conf file serves as the default configuration file for PAM to use UNIX policy. Typically, you do not need to introduce changes to this file. However, if you want to change the password aging and password policy that is controlled by the shadow data, you must configure the client to use the enableShadowUpdate switch. For an example of initializing an LDAP client to enable updating of shadow data, see Initializing an LDAP Client.

For more information about the PAM configuration file, see the pam.conf(4) man page.

Configuring PAM to Use LDAP server_policy

To configure the sample pam.conf file in Example 6, Sample pam.conf File Using the pam_ldap Module for Account Management to use LDAP server_policy, perform the following additional steps:

1. Add the lines that contain pam_ldap.so.1 to the client's /etc/pam.conf file.

2. If any PAM module in the sample file specifies the binding flag and the server_policy option, use the same flag and option for the corresponding module in the client's /etc/pam.conf file.

   Using the binding control flag allows a local password to override a remote (LDAP) password. For example, if a user account is found on both the local files and the LDAP namespace, the password associated with the local account takes precedence over the remote password. Thus, if the local password expires, authentication fails even if the remote LDAP password is still valid.

   The server_policy option instructs pam_unix_auth, pam_unix_account, and pam_passwd_auth to ignore a user found in the LDAP namespace and to allow pam_ldap to perform authentication or account validation. In the case of pam_authtok_store, a new password is passed to the LDAP server without encryption. The password is then stored in the directory according to the password encryption scheme configured on the server. For more information, see the pam.conf(4) and pam_ldap(5) man pages.

3. Add the server_policy option to the line that contains the service module pam_authtok_store.so.1.