PAM-modules Manual (split by section):   Section:   Chapter:FastBack: ldaphome   Up: ldaphome   FastForward: umotd   Contents: Table of ContentsIndex: Concept Index

7.1 Configuration file for pam_ldaphome

Pam_ldaphome reads its configuration from two files: the configuration file supplied with the config command line option and the system-wide LDAP configuration file /etc/ldap.conf.

The syntax of the former is described in SQL configuration file. Allowed keywords are discussed below.

The syntax of the /etc/ldap.conf configuration file is described in LDAP configuration file in ldap.conf(5) manpage. Its parsing can be suppressed using the ldap-config statement (see below).

From /etc/ldap.conf, the following statements are used: ‘base’, ‘binddn’, ‘bindpw’, ‘tls_cacert’, ‘uri’. The ‘ssl’ statement is understood if its value is ‘start_tls’ or ‘off’. Other values are silently ignored.

In general, all statements defined below can appear in both files. However, since /etc/ldap.conf is read by other system utilities as well, we do not recommend using pam_ldaphome-specific keywords in it.

The values read from pam_ldaphome configuration file override those obtained from the standard LDAP configuration file.

LDAP configuration

pam_ldaphome config: base searchbase

Use searchbase as the starting point for the search instead of the default, e.g.:

base dc=gnu,dc=org,dc=ua
pam_ldaphome config: binddn dn

Use the Distinguished Name dn to bind to the LDAP directory. Example:

binddn cn=Manager,dc=gnu,dc=org,dc=ua
pam_ldaphome config: bindpw password

If binddn statement is used, this statement supplies the password for simple authentication.

pam_ldaphome config: bindpwfile file

Read password for simple authentication from file.

pam_ldaphome config: filter expr

Sets the LDAP filter expression to return a user profile. The expr should conform to the string representation for search filters as defined in RFC 4515.

pam_ldaphome config: ldap-config file

Read LDAP configuration from file (default – /etc/ldap.conf). Special value ‘none’ disables this feature.

pam_ldaphome config: ldap-version v

Sets the LDAP version to use. Valid values for v are ‘2’ and ‘3’ (the default).

pam_ldaphome config: pubkey-attr text

Defines the name of the attribute which holds the user public key.

pam_ldaphome config: tls val

Controls whether TLS is desired or required. If val is ‘no’ (the default), TLS will not be used. If it is ‘yes’, the module will issue the ‘StartTLS’ command, but will continue anyway if it fails. Finally, if val is ‘only’, TLS is mandatory, and the module will not establish LDAP connection unless ‘StartTLS’ succeeds.

pam_ldaphome config: tls-cacert val
pam_ldaphome config: tls_cacert val

Full pathname to the CA certificate file. Used if TLS is enabled. The second form (‘tls_cacert’) is for use in /etc/ldap.conf file.

pam_ldaphome config: uri arg

Sets the URI of the LDAP server to consult for the user profile. Example:

uri ldap://127.0.0.1/

Home directory creation

pam_ldaphome config: allow-home-dir path

If present, this option controls where pam_ldaphome should try to create home directories. Its value is a list of directories separated by colons. The user’s home directory will be created only if the directory part of its name is listed in path.

pam_ldaphome config: copy-buf-size n

Sets the size of the buffer used to copy files from the skeleton directory to the newly created home. The default size is 16384 bytes.

pam_ldaphome config: home-dir-mode mode

Sets the mode (octal) for the created user directories.

pam_ldaphome config: skel dir

Supplies the name of a skeleton directory. The contents of this directory is copied to the newly created user home directory. The file modes and permissions are preserved.

Authorized keys file

pam_ldaphome config: authorized_keys name

Sets the pathname (relative to the home directory) for the authorized keys file. The default is ‘.ssh/authorized_keys’. For normal operation, this value must be the same as the value of ‘AuthorizedKeysFile’ variable in sshd_config. Unless you change the latter, there’s no need to edit it.

pam_ldaphome config: import-public-keys bool

When set to ‘no’, disables importing public keys from LDAP. You may wish to use this option if you are using openssh 6.1 or later with ldappubkey as ‘AuthorizedKeysCommand’.

pam_ldaphome config: keyfile-mode mode

Sets the mode (octal) for the created authorized keys file.

pam_ldaphome config: user-keys-boundary string

User key files can contain both keys managed by pam_ldaphome and added by the user. These two groups of keys must be separated by a special comment line, which informs the module that all keys below it must be retained.

This feature is enabled by the user-keys-boundary setting. The delimiting comment is formed as ‘#string’. E.g. if the configuration file contains:

user-keys-boundary :user-defined

then the line ‘#:user-defined’ can be used to delimit ldap-synchronized and user-specific keys.

Access control

pam_ldaphome config: allow-groups group [group...]

Only handle members of the listed groups.

pam_ldaphome config: min-gid n

Sets the minimal GID. For users with GIDs less than n, pam_ldaphome returns PAM_SUCCESS immediately.

pam_ldaphome config: min-uid n

Sets the minimal UID. For users with UIDs less than n, pam_ldaphome returns PAM_SUCCESS immediately. This allows you to have a set of basic users whose credentials are kept in the system database and who will not be disturbed by pam_ldaphome. See also ‘min-gid’ and ‘allow-groups’.

Initialization script

The following statements instruct pam_ldaphome to invoke an external command after initializing the user home directory. This can be used to customize the files copied from the skeleton directory according to the user.

pam_ldaphome config: exec-timeout seconds

Sets maximum time the initrc-command is allowed to run. If it runs longer than seconds, it will be terminated with a ‘SIGKILL’, and the module will return PAM_SYSTEM_ERR.

pam_ldaphome config: initrc-command command

Run command after populating the user home directory with files from the skeleton directory.

The user login name is passed to the command as its argument. Before invoking, the current working directory is changed to the user home, standard input is closed, and standard output is redirected to standard errror.

The command is run under the current user privileges, unless the variable initrc-root is set to true.

The command should exit with code 0 on success. If it exits with a non-zero code, pam_ldaphome will report ‘PAM_SYSTEM_ERR’.

pam_ldaphome config: initrc-root bool

When set to true, initrc-command will be run with root privileges. In this case, the environment variable PAM_LDAPHOME_USER will be initialized to the name of the user who is trying to log in.

pam_ldaphome config: initrc-log file

This statement redirects the standard output and error from the initrc-command to file.

pam_ldaphome config: initrc-environ env ...

Modifies the environment of initrc-command.

This statement takes one or more arguments. Each argument can be one of:

- (a dash)

Clear the environment. This is understood only when used as the first argument.

-name

Unset the environment variable name.

-name=val

Unset the environment variable name only if its value is val.

name

Retain the environment variable name.

name=value

Define environment variable name to have given value.

name+=value

Retain variable name and append value to its existing value. If no such variable is present in the environment, it is created and value is assigned to it. However, if value begins with a punctuation character, this character is removed from it before the assignment. This is convenient for using this construct with environment variables like PATH, e.g.:

PATH+=:/sbin

In this example, if PATH exists, ‘:/sbin’ will be appended to it. Otherwise, it will be created and ‘/sbin’ will be assigned to it.

name=+value

Retain variable name and prepend value to its existing value. If no such variable is present in the environment, it is created and value is assigned to it. However, if value ends with a punctuation character, this character is removed from it before assignment.

The value part can be enclosed in single or double quotes, in which case the usual shell dequoting rules apply.

PAM-modules Manual (split by section):   Section:   Chapter:FastBack: ldaphome   Up: ldaphome   FastForward: umotd   Contents: Table of ContentsIndex: Concept Index