pam_ldap LDAP Actions ===================== The following list describes the actions on the LDAP server and the affected LDAP objects and attributes that pam_ldap performs. The information contained in the list may be used to determine the required permissions to objects and attributes in the directory. To be able to fully perform one of the listed action the accounts listed below 'Accounts' need read access to the attributes listed below 'Attributes' and compare access to the attributes listed in the filters below 'Filters' of all objects in the directory branch that starts at 'Base'. User Search ----------- Account: VALUE OF rootbinddn (if geteuid() == 0 and 'rootbinddn' is set) VALUE OF binddn (if geteuid() != 0 or 'rootbinddn' isn't set) anonymous (if 'binddn' is not set) * Base: VALUE OF nss_base_passwd VALUE OF base (if 'nss_base_passwd' is not set) * Filter: AND combination of the following partial filters: VALUE OF pam_filter VALUE OF FILTER PART OF nss_base_passwd (LoginAttr=UserName) where LoginAttr = VALUE OF pam_login_attribute (default: uid) UserName = the account of the user If either 'pam_filter' or 'nss_base_passwd' is not set, the associated part is left out * Attributes: host authorizedService uidNumber VALUE OF pam_template_login_attribute shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag Password-Change for a User -------------------------- Account: VALUE OF rootbinddn (if geteuid() == 0 and 'rootbinddn' is set) user's DN (as found in the 'User Search') * Base: VALUE OF nss_base_passwd or VALUE OF base (if 'nss_base_passwd' is not set) * Attributes (write access necessary) userPassword (if 'pam_password' is not set to 'ad') unicodePwd (if 'pam_password' is set to 'ad') shadowLastChange Group Membership Search ----------------------- * Comment: only performed if 'pam_groupdn' is set * Account: VALUE OF rootbinddn (if geteuid() == 0 and 'rootbinddn' is set) VALUE OF binddn (if geteuid() != 0 or 'rootbinddn' isn't set) anonymous (if 'binddn' is not set) * Base: VALUE OF pam_groupdn * Filter: (MemberAttr=UserDN) where MemberAttr = VALUE OF pam_member_attribute (default: uniqueMember) UserDN = user's DN (as found in 'User Search') Passwort-Policy Search ---------------------- * Comment: only performed if 'pam_lookup_policy' is set to yes * Account: VALUE OF rootbinddn (if geteuid() == 0 and 'rootbinddn' is set) VALUE OF binddn (if geteuid() != 0 or 'rootbinddn' isn't set) anonymous (if 'binddn' is not set) * Base: TREE-ROOT * Filter: (objectclass=passwordPolicy) * Attributes: passwordMaxFailure passwordMinLength -- Peter Marschall