Show Table of Contents
4.6. PAM Pass Through Auth Plug-in Attributes
Local PAM configurations on Unix systems can leverage an external authentication store for LDAP users. This is a form of pass-through authentication which allows the Directory Server to use the externally-stored user credentials for directory access.
PAM pass-through authentication is configured in child entries beneath the PAM Pass Through Auth Plug-in container entry. All of the possible configuration attributes for PAM authentication (defined in the
60pam-plugin.ldif schema file) are available to a child entry; the child entry must be an instance of the PAM configuration object class.
Example 4.1. Example PAM Pass Through Auth Configuration Entries
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: pamConfig cn: PAM Pass Through Auth nsslapd-pluginPath: libpam-passthru-plugin nsslapd-pluginInitfunc: pam_passthruauth_init nsslapd-pluginType: preoperationnsslapd-pluginEnabled: onnsslapd-pluginLoadGlobal: true nsslapd-plugin-depends-on-type: database nsslapd-pluginId: pam_passthruauth nsslapd-pluginVersion: 9.0.0 nsslapd-pluginVendor: Red Hat nsslapd-pluginDescription: PAM pass through authentication plugin dn: cn=Example PAM Config,cn=PAM Pass Through Auth,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: pamConfig cn: Example PAM Config pamMissingSuffix: ALLOWpamExcludeSuffix: cn=configpamExcludeSuffix: o=NetscapeRootpamIDMapMethod: RDN ou=people,dc=example,dc=compamIDMapMethod: ENTRY ou=engineering,dc=example,dc=compamIDAttr: customPamUidpamFilter: (manager=uid=bjensen,ou=people,dc=example,dc=com)pamFallback: FALSEpamSecure: TRUEpamService: ldapserver
The PAM configuration, at a minimum, must define a mapping method (a way to identify what the PAM user ID is from the Directory Server entry), the PAM server to use, and whether to use a secure connection to the service.
pamIDMapMethod: RDN pamSecure: FALSE pamService: ldapserver
The configuration can be expanded for special settings, such as to exclude or specifically include subtrees or to map a specific attribute value to the PAM user ID.
4.6.1. pamConfig (Object Class)
This object class is used to define the PAM configuration to interact with the directory service. This object class is defined in Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.318
Allowed Attributes
|
Attribute
|
Definition
|
|---|---|
| pamExcludeSuffix | Identifies suffixes to exclude from PAM authentication. |
| pamExcludeSuffix | Identifies suffixes to include for PAM authentication. |
| pamMissingSuffix | Identifies how to handle missing include or exclude suffixes. |
| pamFilter | Sets an LDAP filter to specify entries within the included suffixes to which the PAM pass-through authentication is enabled. |
| pamIDAttr | Identifies the name of the attribute holding the PAM ID. |
| pamIDMapMethod | Identifies how to map the LDAP bind DN to a PAM identity. |
| pamFallback | Identifies whether to fallback to regular LDAP authentication if PAM authentication fails. |
| pamSecure | Identifies whether to require secure (TLS/SSL) connection for PAM authentication. |
| pamService | Identifies service names to pass to PAM. This assumes that the service specified has a configuration file in /etc/pam.d.
Important
The pam_fprintd.so module cannot be in the configuration file referenced by the pamService attribute of the PAM Pass-Through Authentication Plug-in configuration. Using the PAM fprintd module causes the Directory Server to hit the max file descriptor limit and can cause the Directory Server process to abort.
|
| nsslapd-pluginConfigArea | Specifies a different container entry for the plug-in to use to find child entries.
If a different container entry is used, then all PAM pass-through authentication child entries must be located beneath that container entry.
All child entries in the specified location must belong to the
pamConfig object class, but neither the container entry nor the PAM Pass-Through Auth Plug-in entry must belong to the pamConfig object class in that case.
|
4.6.2. pamExcludeSuffix
This attribute specifies a suffix to exclude from PAM authentication.
| OID | 2.16.840.1.113730.3.1.2068 |
| Syntax |
DN
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
4.6.3. pamFallback
This attribute sets whether to fall back to LDAP authentication and bind if the PAM authentication fails.
| OID | 2.16.840.1.113730.3.1.2072 |
| Syntax |
Boolean
|
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
4.6.4. pamFilter
This attribute sets an LDAP filter which is used to specify entries within the included suffixes for which PAM authentication is performed. This allows different PAM authentication configuration to be used for different users.
| OID | 2.16.840.1.113730.3.1.2131 |
| Syntax |
Boolean
|
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
4.6.5. pamIDAttr
This attribute contains the attribute name which is used to hold the PAM user ID.
| OID | 2.16.840.1.113730.3.1.2071 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
4.6.6. pamIDMapMethod
This attribute contains the method for mapping the bind DN in the LDAP server to PAM identity.
| OID | 2.16.840.1.113730.3.1.2070 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
4.6.7. pamIncludeSuffix
This attribute sets a suffix to include for PAM authentication.
| OID | 2.16.840.1.113730.3.1.2067 |
| Syntax |
DN
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
4.6.8. pamMissingSuffix
This attribute sets how the LDAP server handles authentication if specified include or exclude suffixes are missing.
| OID | 2.16.840.1.113730.3.1.2069 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
4.6.9. pamSecure
This attribute sets whether to require secure (TLS/SSL) connections for PAM authentication.
| OID | 2.16.840.1.113730.3.1.2073 |
| Syntax |
Boolean
|
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
4.6.10. pamService
This attribute contains a service name which is passed to the PAM. This assumes that the service specified has a configuration file in
/etc/pam.d.
Important
The
pam_fprintd.so module cannot be in the configuration file referenced by the pamService attribute of the PAM Pass-Through Authentication Plug-in configuration. Using the PAM fprintd module causes the Directory Server to hit the max file descriptor limit and can cause the Directory Server process to abort.
| OID | 2.16.840.1.113730.3.1.2074 |
| Syntax | IA5String |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.