With the Pluggable Authentication Method (PAM) framework, you can choose among several authentication services, including the pam_unix_*, pam_krb5, and pam_ldap_* modules.
To use per-user authentication, you must enable pam_krb5. You can also use pam_krb5 authentication if you do not assign the per-user credential level. If proxy or anonymous credential levels are used to access directory server data, then you cannot restrict access to directory data on a per-user basis.
If you choose anonymous or proxy authentication, use the pam_ldap module instead of the equivalent pam_unix_* modules. The pam_ldap module is more flexible, supports stronger authentication methods, and can perform account management.
The following table summarizes the differences between authentication mechanisms.
|
This section describes how to implement account management for clients that use pam_ldap module, and how to use the pam_ldap module to enable passwordless authentication. With passwordless authentication, users can log in with commands such as ssh and sftp without giving a password.
In order for pam_ldap to work properly, you must properly configure the password and account lockout policy on the server. Use the ldapmodify command to configure the account management policy for the LDAP directory.
Ensure that the passwords for proxy users do not expire. If proxy passwords expire, clients using the proxy credential level cannot retrieve naming service information from the server. To ensure that proxy users have passwords that do not expire, modify the proxy accounts with the following script:
# ldapmodify -H ldapuri -D administrator-DN \ -w administrator-password <<EOF dn: proxy-user-DN DNchangetype: modify replace: passwordexpirationtime passwordexpirationtime: 20380119031407Z EOF
The pam_ldap account management relies on the directory server to maintain and provide password aging and account expiration information for users. The directory server does not interpret the corresponding data from shadow entries to validate user accounts. Because the shadow data is not kept up to date by the LDAP naming service or the directory server, the modules should not grant access based on the shadow data. The shadow data is retrieved using the proxy identity. Therefore, do not allow proxy users to have read access to the userPassword attribute. Denying proxy users read access to userPassword prevents the PAM service from making an invalid account validation.
The 1.3.6.1.4.1.42.2.27.9.5.8 control on the directory server is enabled by default. This control only applies to OUD. To modify the default control configuration, add ACIs on the directory server as shown in the following example:
dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid:1.3.6.1.4.1.42.2.27.9.5.8 cn:Password Policy Account Usable Request Control aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; allow (read, search, compare, proxy) (groupdn = "ldap:///cn=Administrators,cn=config");) creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=server,cn=plugins,cn=config
The pam_ldap module does not read the userPassword attribute. If no client uses UNIX authentication, granting read access to the userPassword attribute is unnecessary. Similarly, the pam_ldap module does not support none as an authentication method.
The serviceAuthenticationMethod attribute, if defined, determines the manner in which the user binds to the LDAP server. Otherwise, the authenticationMethod attribute is used. After the pam_ldap module successfully binds to the server with the user’s identity and password, the module authenticates the user. You can perform account management and retrieve the account status of users while the user is logging in without authenticating to the directory server.
The pam_ldap module can retrieve and use the account status of users from a properly configured OpenLDAP server in a limited way: The pam_ldap module will determine only whether a user account has been permanently locked or might have been locked due to repeated bind failures.
The following are required configuration for the OpenLDAP server:
Use the Password Policy overlay with the pwdLockout option set to TRUE.
Enable the LDAP client’s proxy user to read the ppolicy operational attributes, specifically pwdAccountLockedTime, that are stored in the user’s entry.
See the slapo-ppolicy(5oldap) man page for descriptions of the operational attributes.
The pam_ldap module can also retrieve the account status of users from an AD server to allow passwordless public key authentication for commands such as ssh and sftp. AD must delegate ReaduserAccountControl permission to the security group to which the LDAP client’s proxy user belongs. The pam_ldap module uses the proxy user to retrieve account status information. For each user, the user account control attributes to be read are: userAccountControl, msDS-User-Account-Control-Computed, msDS-UserPasswordExpiryTimeComputed, accountExpires, and pwdLastSet. Consult the Microsoft Active Directory Server documentation for how to delegate the ReaduserAccountControl permission.
If the /etc/pam.conf file is unconfigured, UNIX authentication is enabled by default.
The following modules provide the equivalent functionality as the original pam_unix module. The modules are listed by using their corresponding man pages.
The pam_unix_* modules use the following UNIX authentication model:
The client retrieves the user’s encrypted password from the name service.
The user is prompted for the password.
The user’s password is encrypted.
The client compares the two encrypted passwords to determine whether the user should be authenticated.
The pam_unix_* modules have the following restrictions:
The password must be stored in UNIX crypt format.
The userPassword attribute must be readable by the name service.
For example, if you set the credential level to anonymous, then anyone must be able to read the userPassword attribute. Similarly, if you set the credential level to proxy, then the proxy user must be able to read the userPassword attribute.
The pam_unix_account module supports account management when the enableShadowUpdate switch is set to true. The controls for a remote LDAP user account are applied in the same manner that controls are applied to a local user account that is defined in the passwd and shadow files. For the LDAP account in enableShadowUpdate mode, the system updates and uses the shadow data on the LDAP server for password aging and account locking. The shadow data of the local account only applies to the local client system, while the shadow data of an LDAP user account applies to the user on all client systems.
You can check the password history only for the local client and not for an LDAP user account.
For information about Kerberos, see Managing Kerberos in Oracle Solaris 11.4 and the pam_krb5(7) man page.
Use the passwd command to change a password. If the enableShadowUpdate switch is not enabled, the userPassword attribute must be writable by the user as well as by the administrator credentials. The serviceAuthenticationMethod for passwd-cmd overrides the authenticationMethod for this operation. Depending on the authentication method, the current password might be unencrypted.
In UNIX authentication, the new userPassword attribute is encrypted with the UNIX crypt format. The attribute is tagged before being written to LDAP. Thus, the new password is encrypted regardless of the authentication method used to bind to the server. For more information, see the pam_authtok_store(7) man page.
If the enableShadowUpdate switch is enabled, the pam_unix_* modules update the related shadow information when the user password is changed. Similarly, the pam_unix_* modules update the shadow fields in the local shadow files that the modules update when the local user password is changed.
To support password update, the pam_ldap module can use the pam_authtok_store module with the server_policy option. When you use pam_authtok_store, the new password is sent to the LDAP server unencrypted. Use TLS to ensure privacy. Otherwise, the new userPassword becomes subject to snooping.
If you set an untagged password with OUD, the software uses the passwordStorageScheme attribute to encrypt the password. For more information about the passwordStorageScheme attribute, see Security, Access Control, and Password Policies in Oracle® Fusion Middleware Administering Oracle Unified Directory.
If NIS or any other client that uses UNIX authentication uses LDAP as a repository, then you must configure the passwordStorageScheme attribute with crypt. Also, if you use sasl/digest-MD5 LDAP authentication with the OUD, you must configure the passwordStorageScheme attribute to clear text.