4.6. PAM Pass Through Auth Plug-in Attributes

Local PAM configurations on Unix systems can leverage an external authentication store for LDAP users. This is a form of pass-through authentication which allows the Directory Server to use the externally-stored user credentials for directory access.
PAM pass-through authentication is configured in child entries beneath the PAM Pass Through Auth Plug-in container entry. All of the possible configuration attributes for PAM authentication (defined in the 60pam-plugin.ldif schema file) are available to a child entry; the child entry must be an instance of the PAM configuration object class.

Example 4.1. Example PAM Pass Through Auth Configuration Entries

 dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
 objectClass: top
 objectClass: nsSlapdPlugin
 objectClass: extensibleObject
 objectClass: pamConfig
 cn: PAM Pass Through Auth
 nsslapd-pluginPath: libpam-passthru-plugin
 nsslapd-pluginInitfunc: pam_passthruauth_init
 nsslapd-pluginType: preoperation
 nsslapd-pluginEnabled: on  
 nsslapd-pluginLoadGlobal: true
 nsslapd-plugin-depends-on-type: database
 nsslapd-pluginId: pam_passthruauth
 nsslapd-pluginVersion: 9.0.0
 nsslapd-pluginVendor: Red Hat
 nsslapd-pluginDescription: PAM pass through authentication plugin

 dn: cn=Example PAM Config,cn=PAM Pass Through Auth,cn=plugins,cn=config
 objectClass: top
 objectClass: nsSlapdPlugin
 objectClass: extensibleObject
 objectClass: pamConfig
 cn: Example PAM Config
 pamMissingSuffix: ALLOW
 pamExcludeSuffix: cn=config  
 pamExcludeSuffix: o=NetscapeRoot  
 pamIDMapMethod: RDN ou=people,dc=example,dc=com  
 pamIDMapMethod: ENTRY ou=engineering,dc=example,dc=com  
 pamIDAttr: customPamUid  
 pamFilter: (manager=uid=bjensen,ou=people,dc=example,dc=com)  
 pamFallback: FALSE
 pamSecure: TRUE  
 pamService: ldapserver
The PAM configuration, at a minimum, must define a mapping method (a way to identify what the PAM user ID is from the Directory Server entry), the PAM server to use, and whether to use a secure connection to the service.
pamIDMapMethod: RDN
pamSecure: FALSE
pamService: ldapserver
The configuration can be expanded for special settings, such as to exclude or specifically include subtrees or to map a specific attribute value to the PAM user ID.

4.6.1. pamConfig (Object Class)

This object class is used to define the PAM configuration to interact with the directory service. This object class is defined in Directory Server.
Superior Class

top

OID

2.16.840.1.113730.3.2.318

4.6.2. pamExcludeSuffix

This attribute specifies a suffix to exclude from PAM authentication.
OID 2.16.840.1.113730.3.1.2068
Syntax
DN
Multi- or Single-Valued Multi-valued
Defined in Directory Server

4.6.3. pamFallback

Sets whether to fallback to regular LDAP authentication if PAM authentication fails.
OID 2.16.840.1.113730.3.1.2072
Syntax
Boolean
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.6.4. pamFilter

Sets an LDAP filter to use to identify specific entries within the included suffixes for which to use PAM pass-through authentication. If not set, all entries within the suffix are targeted by the configuration entry.
OID 2.16.840.1.113730.3.1.2131
Syntax
Boolean
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.6.5. pamIDAttr

This attribute contains the attribute name which is used to hold the PAM user ID.
OID 2.16.840.1.113730.3.1.2071
Syntax DirectoryString
Multi- or Single-Valued Multi-valued
Defined in Directory Server

4.6.6. pamIDMapMethod

Gives the method to use to map the LDAP bind DN to a PAM identity.

Note

Directory Server user account inactivation is only validated using the ENTRY mapping method. With RDN or DN, a Directory Server user whose account is inactivated can still bind to the server successfully.
OID 2.16.840.1.113730.3.1.2070
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.6.7. pamIncludeSuffix

This attribute sets a suffix to include for PAM authentication.
OID 2.16.840.1.113730.3.1.2067
Syntax
DN
Multi- or Single-Valued Multi-valued
Defined in Directory Server

4.6.8. pamMissingSuffix

Identifies how to handle missing include or exclude suffixes. The options are ERROR (which causes the bind operation to fail); ALLOW, which logs an error but allows the operation to proceed; and IGNORE, which allows the operation and does not log any errors.
OID 2.16.840.1.113730.3.1.2069
Syntax DirectoryString
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.6.9. pamSecure

Requires secure TLS connection for PAM authentication.
OID 2.16.840.1.113730.3.1.2073
Syntax
Boolean
Multi- or Single-Valued Single-valued
Defined in Directory Server

4.6.10. pamService

Contains the service name to pass to PAM. This assumes that the service specified has a configuration file in the /etc/pam.d/ directory.

Important

The pam_fprintd.so module cannot be in the configuration file referenced by the pamService attribute of the PAM Pass-Through Authentication Plug-in configuration. Using the PAM pam_fprintd.so module causes the Directory Server to hit the max file descriptor limit and can cause the Directory Server process to abort.

Important

The pam_fprintd.so module cannot be in the configuration file referenced by the pamService attribute of the PAM Pass-Through Authentication Plug-in configuration. Using the PAM fprintd module causes the Directory Server to hit the max file descriptor limit and can cause the Directory Server process to abort.
OID 2.16.840.1.113730.3.1.2074
Syntax IA5String
Multi- or Single-Valued Single-valued
Defined in Directory Server