20.14. Using PAM for Pass-Through Authentication

Figure 20.3. PAM Pass-Through Authentication Process
Note
20.14.1. PAM Pass-Through Authentication Configuration Options
- The suffixes that are controlled by the PAM pass-through authentication plug-in. This covers suffixes to exclude, suffixes to include, and how to handle a missing suffix.
- Individual entries within the configured suffixes which are the target of the authentication configuration. By default, all entries within a suffix are included in the authentication scope, but it is possible to configure multiple, different PAM Pass-Through Auth plug-in instances and then apply different plug-in configuration to different users.
- The PAM attribute mapping. The credentials that are offered to the Directory Server have to be mapped in some way to an LDAP entry and then, back to the credentials in the PAM service. This is done by defining a mapping method and then, optionally, which LDAP attribute to use to match the credentials.
- General configuration such as using TLS connections, the PAM service to use, and whether to fallback to LDAP authentication if PAM authentication fails.
Note
pamFilter
attribute to set an LDAP filter to search for the specific entries to use with the plug-in.
20.14.1.1. Specifying the Suffixes to Target for PAM PTA
Note
cn=config
which is associated with the root suffix dc=example,dc=com
which is associated with userRoot
.
pamExcludeSuffix
attribute excludes a suffix. By default, only the configuration subtree (cn=config
) is excluded. Alternatively, the PAM PTA plug-in can be applied to a suffix with the pamIncludeSuffix
attribute. Both of these attributes are multi-valued.
pamExcludeSuffix: cn=config
pamIncludeSuffix
, only the given suffix is included and all others are automatically excluded. Since this attribute is multi-valued, more than one suffix can be included in the PAM evaluation by explicitly listing the suffixes.
pamIncludeSuffix: ou=Engineering,dc=example,dc=com pamIncludeSuffix: ou=QE,dc=example,dc=com
pamMissingSuffix
attribute tells the server how to handle a failure if the specified suffix (include or exclude) does not exist. If it is set to IGNORE
, then if the suffix does not exist, the plug-in simply skips that suffix and tries the next.
pamMissingSuffix: IGNORE pamIncludeSuffix: ou=Engineering,dc=example,dc=com pamIncludeSuffix: ou=Not Real,dc=example,dc=com
20.14.1.2. Applying Different PAM Pass-Through Authentication Configurations to Different Entries
pamFilter
attribute which identifies specific entries within the suffix to which to apply the PAM pass-through authentication policy.
20.14.1.3. Setting PAM PTA Mappings
pamIDMapMethod: RDN ENTRY DN
Note
Table 20.4. Mapping Methods for PAM Authentication
Mapping | Description |
---|---|
RDN | This method uses the value from the leftmost RDN in the bind DN. The mapping for this method is defined by Directory Server. This is the default mapping method, if none is given. |
ENTRY | This method pulls the value of the PAM identity from a user-defined attribute in the bind DN entry. The identity attribute is defined in the pamIDAttr attribute. For example: pamIDAttr: customPamUid |
DN | This method uses the full distinguished name from the bind DN. The mapping for this method is defined by Directory Server. |
20.14.1.4. Configuring General PAM PTA Settings
- The service name to send to PAM (
pamService
); this is the name of the configuration file to use in/etc/pam.d
- Whether to require a secure connection (
pamSecure
) - Whether to fall back to LDAP authentication if PAM authentication fails (
pamFallback
)
pamFallback: false pamSecure: false pamService: ldapserver
20.14.2. Configuring PAM Pass-Through Authentication
Note
pamFilter
attribute to set an LDAP filter to search for the specific entries to use with the plug-in.
- Make sure the PAM service is fully configured.
- Remove the
pam_fprintd.so
module from the PAM configuration file.Important
Thepam_fprintd.so
module cannot be in the configuration file referenced by thepamService
attribute of the PAM Pass-Through Authentication Plug-in configuration. Using the PAMfprintd
module causes the Directory Server to hit the max file descriptor limit and can cause the Directory Server process to abort. - Enable the plug-in:
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin set "PAM Pass-Through Auth Plugin" --enabled on
- Create the PAM Pass-Through Auth plug-in configuration entry. For example:
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin pass-through-auth pam-config "Admin PAM PTA Config" add --exclude-suffix="cn=config" --id_map_method="RDN ENTRY" --id-attr="customPamUid" --filter="(manager=uid=example_user,ou=people,dc=example,dc=com pamFallback: FALSE" --secure="TRUE" --service="ldapserver"
- Restart the instance:
# dsctl instance_name restart
20.14.3. Using PAM Pass-Through Authentication with Active Directory as the Back End

Figure 20.4. PAM Pass-Through Authentication with SSSD
- Configure SSSD to use the Active Directory server as one of its identity providers.This configuration is covered in the Using Active Directory as an Identity Provider for SSSD section in the Windows Integration Guide.
- Enable the PAM Pass-Through Auth plug-in:
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin set "PAM Pass-Through Auth Plugin" --enabled on
- Create the PAM Pass-Through Auth plug-in configuration entry. For example:
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin pass-through-auth pam-config "AD PAM PTA Config" add --id_map_method="ENTRY" --id-attr="sAMAccountName" --service="system-auth"
- Restart the server to load the plug-in configuration.
# dsctl instance_name restart