| author | Huie-Ying Lee <huieying.lee@oracle.com> |
| Tue, 20 Sep 2016 12:05:25 -0700 | |
| branch | s11u3-sru |
| changeset 6937 | 1366743d2272 |
| parent 291 | b454e61af367 |
| child 7455 | cefc5b17cc4b |
| permissions | -rw-r--r-- |
|
291
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
1 |
# |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
2 |
# Configuration file for pam_pkcs11 module |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
3 |
# |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
4 |
# Original Author: Juan Antonio Martinez <[email protected]> |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
5 |
# |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
6 |
pam_pkcs11 {
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
7 |
# Allow empty passwords |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
8 |
nullok = true; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
9 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
10 |
# Enable debugging support. |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
11 |
debug = true; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
12 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
13 |
# Filename of the PKCS #11 module. The default value is "default" |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
14 |
use_pkcs11_module = default; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
15 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
16 |
pkcs11_module default {
|
|
6937
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
17 |
module = /usr/lib/$ISA/libpkcs11.so; |
|
291
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
18 |
description = "Solaris PKCS#11 Cryptographic Framework library"; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
19 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
20 |
# Which slot to use? |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
21 |
# You can use "slot_description" or "slot_num", but not both, to specify |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
22 |
# the slot to use. Using "slot_description" is preferred because the |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
23 |
# PKCS#11 specification does not guarantee slot ordering. "slot_num" should |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
24 |
# only be used with those PKCS#11 implementations that guarantee |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
25 |
# constant slot numbering. |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
26 |
# |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
27 |
# slot_description = "xxxx" |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
28 |
# The slot is specified by the slot description, for example, |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
29 |
# slot_description = "Sun Crypto Softtoken". The default value is |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
30 |
# "none" which means to use the first slot with an available token. |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
31 |
# |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
32 |
# slot_num = a_number |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
33 |
# The slot is specified by the slot number, for example, slot_num = 1. |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
34 |
# The default value is zero which means to use the first slot with an |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
35 |
# available token. |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
36 |
# |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
37 |
# On Solaris OS, an administrator can use the "cryotoadm list -v" command |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
38 |
# to find all the available slots and their slot descriptions. For more |
|
6937
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
39 |
# information, see the libpkcs11(3LIB) and cryptoadm(8) man pages. |
|
291
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
40 |
# |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
41 |
slot_description = "none"; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
42 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
43 |
# Where are CA certificates stored? |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
44 |
# You can setup this value to: |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
45 |
# 1- A directory with openssl hash-links to all certificates |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
46 |
# 2- A CA file in PEM (.pem) or ASN1 (.cer) format, |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
47 |
# containing all allowed CA certs |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
48 |
# The default value is /etc/security/pam_pkcs11/cacerts. |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
49 |
ca_dir = /etc/security/pam_pkcs11/cacerts; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
50 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
51 |
# Path to the directory where the local (offline) CRLs are stored. |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
52 |
# Same convention as above is applied: you can choose either |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
53 |
# hash-link directory or CRL file |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
54 |
# The default value is /etc/security/pam_pkcs11/crls. |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
55 |
crl_dir = /etc/security/pam_pkcs11/crls; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
56 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
57 |
# Some pcks#11 libraries can handle multithreading. So |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
58 |
# set it to true to properly call C_Initialize() |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
59 |
support_threads = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
60 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
61 |
# Sets the Certificate verification policy. |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
62 |
# "none" Performs no verification |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
63 |
# "ca" Does CA check |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
64 |
# "crl_online" Downloads the CRL form the location given by the |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
65 |
# CRL distribution point extension of the certificate |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
66 |
# "crl_offline" Uses the locally stored CRLs |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
67 |
# "crl_auto" Is a combination of online and offline; it first |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
68 |
# tries to download the CRL from a possibly given CRL |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
69 |
# distribution point and if this fails, uses the local |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
70 |
# CRLs |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
71 |
# "signature" Does also a signature check to ensure that private |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
72 |
# and public key matches |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
73 |
# You can use a combination of ca,crl, and signature flags, or just |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
74 |
# use "none". |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
75 |
# cert_policy = ca,signature; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
76 |
cert_policy = signature; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
77 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
78 |
# What kind of token? |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
79 |
# The value of the token_type parameter will be used in the user prompt |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
80 |
# messages. The default value is "Smart card". |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
81 |
token_type = "Secure token"; |
|
6937
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
82 |
|
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
83 |
# The err_display_time option suspends execution for an interval of time |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
84 |
# in seconds after each PAM message is shown. |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
85 |
err_display_time = 0; |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
86 |
|
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
87 |
# The quiet option can be used to disable error messages. |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
88 |
quiet = false; |
|
291
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
89 |
} |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
90 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
91 |
# Which mappers ( Cert to login ) to use? |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
92 |
# you can use several mappers: |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
93 |
# |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
94 |
# subject - Cert Subject to login file based mapper |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
95 |
# pwent - CN to getpwent() login or gecos fields mapper |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
96 |
# ldap - LDAP mapper |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
97 |
# opensc - Search certificate in ${HOME}/.eid/authorized_certificates
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
98 |
# openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
99 |
# mail - Compare email fields from certificate |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
100 |
# ms - Use Microsoft Universal Principal Name extension |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
101 |
# krb - Compare againts Kerberos Principal Name |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
102 |
# cn - Compare Common Name (CN) |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
103 |
# uid - Compare Unique Identifier |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
104 |
# digest - Certificate digest to login (mapfile based) mapper |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
105 |
# generic - User defined certificate contents mapped |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
106 |
# null - blind access/deny mapper |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
107 |
# |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
108 |
# You can select a comma-separated mapper list. |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
109 |
# If used null mapper should be the last in the list :-) |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
110 |
# Also you should select at least one mapper, otherwise |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
111 |
# certificate will not match :-) |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
112 |
# use_mappers = digest, cn, pwent, uid, mail, subject, null; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
113 |
use_mappers = cn; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
114 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
115 |
# When no absolute path or module info is provided, use this |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
116 |
# value as module search path |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
117 |
# TODO: |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
118 |
# This is not still functional: use absolute pathnames or LD_LIBRARY_PATH |
|
6937
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
119 |
mapper_search_path = /usr/lib/pam_pkcs11/$ISA; |
|
291
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
120 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
121 |
# |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
122 |
# Generic certificate contents mapper |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
123 |
mapper generic {
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
124 |
debug = true; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
125 |
module = internal; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
126 |
# ignore letter case on match/compare |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
127 |
ignorecase = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
128 |
# Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid" |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
129 |
cert_item = cn; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
130 |
# Define mapfile if needed, else select "none" |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
131 |
mapfile = file:///etc/security/pam_pkcs11/generic_mapping |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
132 |
# Decide if use getpwent() to map login |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
133 |
use_getpwent = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
134 |
} |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
135 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
136 |
# Certificate Subject to login based mapper |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
137 |
# provided file stores one or more "Subject -> login" lines |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
138 |
mapper subject {
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
139 |
debug = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
140 |
module = internal; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
141 |
ignorecase = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
142 |
mapfile = file:///etc/security/pam_pkcs11/subject_mapping; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
143 |
} |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
144 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
145 |
# Search public keys from $HOME/.ssh/authorized_keys to match users |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
146 |
mapper openssh {
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
147 |
debug = false; |
|
6937
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
148 |
module = /usr/lib/pam_pkcs11/$ISA/openssh_mapper.so; |
|
291
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
149 |
} |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
150 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
151 |
# Search certificates from $HOME/.eid/authorized_certificates to match users |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
152 |
mapper opensc {
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
153 |
debug = false; |
|
6937
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
154 |
module = /usr/lib/pam_pkcs11/$ISA/opensc_mapper.so; |
|
291
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
155 |
} |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
156 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
157 |
# Certificate Common Name ( CN ) to getpwent() mapper |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
158 |
mapper pwent {
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
159 |
debug = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
160 |
ignorecase = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
161 |
module = internal; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
162 |
} |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
163 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
164 |
# Null ( no map ) mapper. when user as finder matchs to NULL or "nobody" |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
165 |
mapper null {
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
166 |
debug = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
167 |
module = internal ; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
168 |
# select behavior: always match, or always fail |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
169 |
default_match = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
170 |
# on match, select returned user |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
171 |
default_user = nobody ; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
172 |
} |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
173 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
174 |
# Directory ( ldap style ) mapper |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
175 |
mapper ldap {
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
176 |
debug = false; |
|
6937
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
177 |
|
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
178 |
# The path of the ldap_mapper.so module |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
179 |
# |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
180 |
# Two versions of ldap_mapper.so are available: |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
181 |
# |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
182 |
# - ldap_mapper.so built with the Mozilla LDAP |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
183 |
# libraries and the default. |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
184 |
# |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
185 |
# - openldap_mapper.so built only for Solaris 11 with |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
186 |
# the OpenLDAP libraries. |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
187 |
# |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
188 |
# Mozilla LDAP version: |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
189 |
# /usr/lib/pam_pcks11/$ISA/ldap_mapper.so |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
190 |
# |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
191 |
# OpenLDAP version for Solaris 11 only: |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
192 |
# /usr/lib/pam_pkcs11/$ISA/openldap_mapper.so; |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
193 |
# |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
194 |
module = /usr/lib/pam_pkcs11/$ISA/ldap_mapper.so; |
|
1366743d2272
PSARC/2016/427 PAM_PKCS11 0.6.8
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
291
diff
changeset
|
195 |
|
|
291
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
196 |
# hostname of ldap server (use LDAP-URI for more then one) |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
197 |
ldaphost = ""; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
198 |
# Port on ldap server to connect, this is also the default |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
199 |
# if no port is given in URI below |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
200 |
# if empty, then 389 for TLS and 636 for SSL is used |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
201 |
ldapport = ; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
202 |
# space separted list of LDAP URIs (URIs are used by given order) |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
203 |
URI = ""; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
204 |
# Scope of search: 0-2 |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
205 |
# Default is 1 = "one", meaning the set of records one |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
206 |
# level below the basedn. |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
207 |
# 0 = "base" means search only the basedn, and |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
208 |
# 2 = "sub" means the union of entries at the "base" level |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
209 |
# and ? all or "one" level below ??? FIXME |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
210 |
scope = 2; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
211 |
# DN to bind with. Must have read-access for user entries |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
212 |
# under "base" |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
213 |
binddn = "cn=pam,o=example,c=com"; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
214 |
# Password for above DN |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
215 |
passwd = ""; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
216 |
# Searchbase for user entries |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
217 |
base = "ou=People,o=example,c=com"; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
218 |
# Attribute of user entry which contains the certificate |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
219 |
attribute = "userCertificate"; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
220 |
# Searchfilter for user entry. Must only let pass user entry |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
221 |
# for the login user. |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
222 |
filter = "(&(objectClass=posixAccount)(uid=%s))" |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
223 |
# SSL/TLS-Switch |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
224 |
# This is a global switch, you can't switch between |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
225 |
# SSL or TLS and non secured connections per URI! |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
226 |
# values: off (standard), tls or on (ssl) or ssl |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
227 |
ssl = tls |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
228 |
# SSL specific settings |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
229 |
# tls_randfile = ... |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
230 |
tls_cacertfile = /etc/ssl/cacert.pem |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
231 |
# tls_cacertdir = ... |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
232 |
tls_checkpeer = 0 |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
233 |
#tls_ciphers = ... |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
234 |
#tls_cert = ... |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
235 |
#tls_key = ... |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
236 |
} |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
237 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
238 |
# Assume common name (CN) to be the login |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
239 |
mapper cn {
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
240 |
debug = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
241 |
module = internal; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
242 |
ignorecase = true; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
243 |
# mapfile = file:///etc/security/pam_pkcs11/cn_map; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
244 |
mapfile = "none"; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
245 |
} |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
246 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
247 |
# mail - Compare email field from certificate |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
248 |
mapper mail {
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
249 |
debug = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
250 |
module = internal; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
251 |
# Declare mapfile or |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
252 |
# leave empty "" or "none" to use no map |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
253 |
mapfile = file:///etc/security/pam_pkcs11/mail_mapping; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
254 |
# Some certs store email in uppercase. take care on this |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
255 |
ignorecase = true; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
256 |
# Also check that host matches mx domain |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
257 |
# when using mapfile this feature is ignored |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
258 |
ignoredomain = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
259 |
} |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
260 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
261 |
# ms - Use Microsoft Universal Principal Name extension |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
262 |
# UPN is in format login@ADS_Domain. No map is needed, just |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
263 |
# check domain name. |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
264 |
mapper ms {
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
265 |
debug = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
266 |
module = internal; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
267 |
ignorecase = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
268 |
ignoredomain = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
269 |
domain = "domain.com"; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
270 |
} |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
271 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
272 |
# krb - Compare againts Kerberos Principal Name |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
273 |
mapper krb {
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
274 |
debug = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
275 |
module = internal; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
276 |
ignorecase = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
277 |
mapfile = "none"; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
278 |
} |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
279 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
280 |
# uid - Maps Subject Unique Identifier field (if exist) to login |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
281 |
mapper uid {
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
282 |
debug = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
283 |
module = internal; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
284 |
ignorecase = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
285 |
mapfile = "none"; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
286 |
} |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
287 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
288 |
# digest - elaborate certificate digest and map it into a file |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
289 |
mapper digest {
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
290 |
debug = false; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
291 |
module = internal; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
292 |
# algorithm used to evaluate certificate digest |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
293 |
# Select one of: |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
294 |
# "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160" |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
295 |
algorithm = "sha1"; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
296 |
# mapfile = file:///etc/security/pam_pkcs11/digest_mapping; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
297 |
mapfile = "none"; |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
298 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
299 |
} |
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
300 |
|
|
b454e61af367
7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
301 |
} |