![[image of the Head of a GNU]](/graphics/gnu-head-sm.jpg)
|
|
PAM-Modules |
A Collection of Modules for PAM |
Sergey Poznyakoff |
PAM-modules Manual (split by node): 
pam_ldaphomePam_ldaphome reads its configuration from two files: the
configuration file supplied with the config command line
option and the system-wide LDAP configuration file
/etc/ldap.conf.
The syntax of the former is described in SQL configuration file. Allowed keywords are discussed below.
The syntax of the /etc/ldap.conf configuration file is
described in LDAP configuration file in ldap.conf(5) manpage. Its parsing can be suppressed using the
ldap-config statement (see below).
From /etc/ldap.conf, the following statements are used: ‘base’, ‘binddn’, ‘bindpw’, ‘tls_cacert’, ‘uri’. The ‘ssl’ statement is understood if its value is ‘start_tls’ or ‘off’. Other values are silently ignored.
In general, all statements defined below can appear in both files.
However, since /etc/ldap.conf is read by other system utilities
as well, we do not recommend using pam_ldaphome-specific
keywords in it.
The values read from pam_ldaphome configuration file
override those obtained from the standard LDAP configuration file.
Use searchbase as the starting point for the search instead of the default, e.g.:
base dc=gnu,dc=org,dc=ua
Use the Distinguished Name dn to bind to the LDAP directory. Example:
binddn cn=Manager,dc=gnu,dc=org,dc=ua
If binddn statement is used, this statement supplies the
password for simple authentication.
Read password for simple authentication from file.
Sets the LDAP filter expression to return a user profile. The expr should conform to the string representation for search filters as defined in RFC 4515.
Read LDAP configuration from file (default – /etc/ldap.conf). Special value ‘none’ disables this feature.
Sets the LDAP version to use. Valid values for v are ‘2’ and ‘3’ (the default).
Defines the name of the attribute which holds the user public key.
Controls whether TLS is desired or required. If val is ‘no’ (the default), TLS will not be used. If it is ‘yes’, the module will issue the ‘StartTLS’ command, but will continue anyway if it fails. Finally, if val is ‘only’, TLS is mandatory, and the module will not establish LDAP connection unless ‘StartTLS’ succeeds.
Full pathname to the CA certificate file. Used if TLS is enabled. The second form (‘tls_cacert’) is for use in /etc/ldap.conf file.
Sets the URI of the LDAP server to consult for the user profile. Example:
uri ldap://127.0.0.1/
If present, this option controls where pam_ldaphome should
try to create home directories. Its value is a list of directories
separated by colons. The user’s home directory will be created only
if the directory part of its name is listed in path.
Sets the size of the buffer used to copy files from the skeleton directory to the newly created home. The default size is 16384 bytes.
Sets the mode (octal) for the created user directories.
Supplies the name of a skeleton directory. The contents of this directory is copied to the newly created user home directory. The file modes and permissions are preserved.
Sets the pathname (relative to the home directory) for the authorized keys file. The default is ‘.ssh/authorized_keys’. For normal operation, this value must be the same as the value of ‘AuthorizedKeysFile’ variable in sshd_config. Unless you change the latter, there’s no need to edit it.
When set to ‘no’, disables importing public keys from LDAP. You
may wish to use this option if you are using openssh 6.1 or
later with ldappubkey as ‘AuthorizedKeysCommand’.
Sets the mode (octal) for the created authorized keys file.
User key files can contain both keys managed by pam_ldaphome
and added by the user. These two groups of keys must be separated by
a special comment line, which informs the module that all keys
below it must be retained.
This feature is enabled by the user-keys-boundary setting.
The delimiting comment is formed as ‘#string’. E.g. if the
configuration file contains:
user-keys-boundary :user-defined
then the line ‘#:user-defined’ can be used to delimit ldap-synchronized and user-specific keys.
Only handle members of the listed groups.
Sets the minimal GID. For users with GIDs less than n,
pam_ldaphome returns PAM_SUCCESS immediately.
Sets the minimal UID. For users with UIDs less than n,
pam_ldaphome returns PAM_SUCCESS immediately. This allows
you to have a set of basic users whose credentials are kept in the
system database and who will not be disturbed by
pam_ldaphome. See also ‘min-gid’ and
‘allow-groups’.
The following statements instruct pam_ldaphome to invoke an
external command after initializing the user home directory. This can
be used to customize the files copied from the skeleton directory
according to the user.
Sets maximum time the initrc-command is allowed to run. If
it runs longer than seconds, it will be terminated with a
‘SIGKILL’, and the module will return PAM_SYSTEM_ERR.
Run command after populating the user home directory with
files from the skeleton directory.
The user login name is passed to the command as its argument. Before invoking, the current working directory is changed to the user home, standard input is closed, and standard output is redirected to standard errror.
The command is run under the current user privileges, unless the variable initrc-root is set to true.
The command should exit with code 0 on success. If it exits with a
non-zero code, pam_ldaphome will report
‘PAM_SYSTEM_ERR’.
When set to true, initrc-command will be run with
root privileges. In this case, the environment variable
PAM_LDAPHOME_USER will be initialized to the name of the
user who is trying to log in.
This statement redirects the standard output and error from the
initrc-command to file.
Modifies the environment of initrc-command.
This statement takes one or more arguments. Each argument can be one of:
Clear the environment. This is understood only when used as the first argument.
Unset the environment variable name.
Unset the environment variable name only if its value is val.
Retain the environment variable name.
Define environment variable name to have given value.
Retain variable name and append value to its existing
value. If no such variable is present in the environment, it is
created and value is assigned to it. However, if value
begins with a punctuation character, this character is removed from it
before the assignment. This is convenient for using this construct with
environment variables like PATH, e.g.:
PATH+=:/sbin
In this example, if PATH exists, ‘:/sbin’ will be appended
to it. Otherwise, it will be created and ‘/sbin’ will be
assigned to it.
Retain variable name and prepend value to its existing value. If no such variable is present in the environment, it is created and value is assigned to it. However, if value ends with a punctuation character, this character is removed from it before assignment.
The value part can be enclosed in single or double quotes, in which case the usual shell dequoting rules apply.
PAM-modules Manual (split by node):
This document was generated on August 11, 2021 using makeinfo.
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.