##ident "@(#)pam.conf 1.28 04/04/21 SMI"## Copyright 2004 Sun Microsystems, Inc. All rights reserved.# Use is subject to license terms.## PAM configuration## Unless explicitly defined, all services use the modules# defined in the "other" section.## Modules are defined with relative pathnames, i.e., they are# relative to /usr/lib/security/$ISA. Absolute path names, as# present in this file in previous releases are still acceptable.## Authentication management## login service (explicit because of pam_dial_auth)#loginauthrequisitepam_authtok_get.so.1
loginauthrequiredpam_dhkeys.so.1
loginauthrequiredpam_unix_cred.so.1
loginauthsufficientpam_ldap.so.1try_first_pass
loginauthsufficientpam_unix_auth.so.1
loginauthrequiredpam_dial_auth.so.1
## rlogin service (explicit because of pam_rhost_auth)#rloginauthsufficientpam_rhosts_auth.so.1
rloginauthrequisitepam_authtok_get.so.1
rloginauthrequiredpam_dhkeys.so.1
rloginauthrequiredpam_unix_cred.so.1
rloginauthsufficientpam_ldap.so.1try_first_pass
rloginauthsufficientpam_unix_auth.so.1
## Kerberized rlogin service#krloginauthrequiredpam_unix_cred.so.1
krloginauthbindingpam_krb5.so.1
krloginauthsufficientpam_ldap.so.1
krloginauthsufficientpam_unix_auth.so.1
## rsh service (explicit because of pam_rhost_auth,# and pam_unix_auth for meaningful pam_setcred)#rshauthsufficientpam_rhosts_auth.so.1
rshauthrequiredpam_unix_cred.so.1
## Kerberized rsh service#krshauthrequiredpam_unix_cred.so.1
krshauthbindingpam_krb5.so.1
krshauthsufficientpam_ldap.so.1
krshauthsufficientpam_unix_auth.so.1
## Kerberized telnet service#ktelnetauthrequiredpam_unix_cred.so.1
ktelnetauthbindingpam_krb5.so.1
ktelnetauthsufficientpam_ldap.so.1
ktelnetauthsufficientpam_unix_auth.so.1
## PPP service (explicit because of pam_dial_auth)#pppauthrequisitepam_authtok_get.so.1
pppauthrequiredpam_dhkeys.so.1
pppauthrequiredpam_unix_cred.so.1
pppauthsufficientpam_ldap.so.1
pppauthsufficientpam_unix_auth.so.1
pppauthrequiredpam_dial_auth.so.1
## Default definitions for Authentication management# Used when service name is not explicitly mentioned for authentication#otherauthrequisitepam_authtok_get.so.1
otherauthrequiredpam_dhkeys.so.1
otherauthrequiredpam_unix_cred.so.1
otherauthsufficientpam_ldap.so.1
otherauthsufficientpam_unix_auth.so.1
## passwd command (explicit because of a different authentication module)#passwdauthrequiredpam_passwd_auth.so.1
## cron service (explicit because of non-usage of pam_roles.so.1)#cronaccountrequiredpam_unix_account.so.1
## Default definition for Account management# Used when service name is not explicitly mentioned for account management#otheraccountrequisitepam_roles.so.1
otheraccountrequiredpam_unix_account.so.1
## Default definition for Session management# Used when service name is not explicitly mentioned for session management#othersessionrequiredpam_unix_session.so.1
## Default definition for Password management# Used when service name is not explicitly mentioned for password management#otherpasswordrequiredpam_dhkeys.so.1
otherpasswordrequisitepam_authtok_get.so.1
otherpasswordrequisitepam_authtok_check.so.1
otherpasswordrequiredpam_authtok_store.so.1
## Support for Kerberos V5 authentication and example configurations can# be found in the pam_krb5(5) man page under the "EXAMPLES" section.#
Configure the /etc/nsswitch.ldap file
Keep "ldap" only where it's useful: for now on the passwd: and group: lines. For the rest, use the content of the /etc/nsswitch.dns file. This gives:
## Copyright 2006 Sun Microsystems, Inc. All rights reserved.# Use is subject to license terms.### /etc/nsswitch.dns:## An example file that could be copied over to /etc/nsswitch.conf; it uses# DNS for hosts lookups, otherwise it does not use any other naming service.## "hosts:" and "services:" in this file are used only if the# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.# DNS service expects that an instance of svc:/network/dns/client be# enabled and online.passwd:filesldap
group:filesldap
# You must also set up the /etc/resolv.conf file for DNS name# server lookup. See resolv.conf(4).hosts:filesdns# Note that IPv4 addresses are searched for in all of the ipnodes databases# before searching the hosts databases.ipnodes:filesdnsnetworks:files
protocols:files
rpc:files
ethers:files
netmasks:files
bootparams:files
publickey:files
# At present there isn't a 'files' backend for netgroup; the system will # figure it out pretty quickly, and won't use netgroups at all.netgroup:files
automount:files
aliases:files
services:files
printers:userfiles
auth_attr:files
prof_attr:files
project:files
tnrhtp:files
tnrhdb:files
Once that is done, we can proceed with the configuration. Note: if you are in a cluster environment, adapt to your initial configuration:
Note: it seems that the ldapclient command is bugged and requires the proxyDN and proxyPassword parameters even if they are unused (and even if they contain anything)!
## Copyright 2003 Sun Microsystems, Inc. All rights reserved.# Use is subject to license terms.## ident "@(#)auto_home 1.6 03/04/28 SMI"## Home directory map for automounter#+auto_home*localhost:/export/home/&
In case you want to automatically create the home directory, you need to port the pam_mkhomedir module from Linux:
## Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.#NS_LDAP_FILE_VERSION=2.0
NS_LDAP_SERVERS=server2,server1
NS_LDAP_SEARCH_BASEDN=dc=openldap,dc=mycompany,dc=com
NS_LDAP_AUTH=simple
NS_LDAP_CACHETTL=0NS_LDAP_SERVICE_SEARCH_DESC=passwd:dc=openldap,dc=mycompany,dc=com?sub?&(&(objectClass=posixAccount)(!(objectClass=computer)))NS_LDAP_SERVICE_SEARCH_DESC=shadow:dc=openldap,dc=mycompany,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC=group:dc=openldap,dc=mycompany,dc=com?sub
NS_LDAP_SERVICE_AUTH_METHOD=pam_ldap:simple
## Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.#NS_LDAP_BINDDN=cn=admin,dc=openldap,dc=mycompany,dc=lan
NS_LDAP_BINDPASSWD={NS1}4a3788e8c053424f
To generate a password, use the ldap_gen_profil command: