components/pam_pkcs11/pam_pkcs11.conf
author Huie-Ying Lee <huieying.lee@oracle.com>
Wed, 08 Jun 2011 18:37:56 -0700
changeset 291 b454e61af367
child 5029 77413b29eb5a
child 6937 1366743d2272
permissions -rw-r--r--
7050151 migrate pam_pkcs11 from sfw to userland
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
291
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
     1
#
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
     2
# Configuration file for pam_pkcs11 module
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
     3
#
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
     4
# Original Author: Juan Antonio Martinez <[email protected]>
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
     5
#
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
     6
pam_pkcs11 {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
     7
  # Allow empty passwords
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
     8
  nullok = true;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
     9
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    10
  # Enable debugging support.
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    11
  debug = true; 
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    12
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    13
  # Filename of the PKCS #11 module. The default value is "default"
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    14
  use_pkcs11_module = default;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    15
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    16
  pkcs11_module default {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    17
    module = /usr/lib/libpkcs11.so;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    18
    description = "Solaris PKCS#11 Cryptographic Framework library";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    19
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    20
    # Which slot to use?
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    21
    # You can use "slot_description" or "slot_num", but not both, to specify
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    22
    # the slot to use.   Using "slot_description" is preferred because the
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    23
    # PKCS#11 specification does not guarantee slot ordering. "slot_num" should
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    24
    # only be used with those PKCS#11 implementations that guarantee
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    25
    # constant slot numbering.
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    26
    #
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    27
    #  slot_description = "xxxx"
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    28
    #      The slot is specified by the slot description, for example, 
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    29
    #      slot_description = "Sun Crypto Softtoken".  The default value is
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    30
    #      "none" which means to use the first slot with an available token.
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    31
    #
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    32
    #  slot_num = a_number
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    33
    #      The slot is specified by the slot number, for example, slot_num = 1.
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    34
    #      The default value is zero which means to use the first slot with an
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    35
    #      available token.
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    36
    #
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    37
    # On Solaris OS, an administrator can use the "cryotoadm list -v" command
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    38
    # to find all the available slots and their slot descriptions. For more 
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    39
    # information, see the libpkcs11(3LIB) and cryptoadm(1m) man pages.
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    40
    #
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    41
    slot_description = "none";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    42
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    43
    # Where are CA certificates stored?
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    44
    # You can setup this value to:
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    45
    # 1- A directory with openssl hash-links to all certificates
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    46
    # 2- A CA file in PEM (.pem) or ASN1 (.cer) format, 
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    47
    # containing all allowed CA certs
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    48
    # The default value is /etc/security/pam_pkcs11/cacerts.
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    49
    ca_dir = /etc/security/pam_pkcs11/cacerts;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    50
  
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    51
    # Path to the directory where the local (offline) CRLs are stored.
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    52
    # Same convention as above is applied: you can choose either
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    53
    # hash-link directory or CRL file
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    54
    # The default value is /etc/security/pam_pkcs11/crls.
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    55
    crl_dir = /etc/security/pam_pkcs11/crls;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    56
  
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    57
    # Some pcks#11 libraries can handle multithreading. So 
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    58
    # set it to true to properly call C_Initialize() 
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    59
    support_threads = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    60
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    61
    # Sets the Certificate verification policy. 
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    62
    # "none"        Performs no verification
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    63
    # "ca"          Does CA check
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    64
    # "crl_online"  Downloads the CRL form the location given by the
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    65
    #               CRL distribution point extension of the certificate
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    66
    # "crl_offline" Uses the locally stored CRLs
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    67
    # "crl_auto"    Is a combination of online and offline; it first 
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    68
    #               tries to download the CRL from a possibly given CRL 
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    69
    #               distribution point and if this fails, uses the local
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    70
    #               CRLs
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    71
    # "signature"   Does also a signature check to ensure that private
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    72
    #               and public key matches
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    73
    # You can use a combination of ca,crl, and signature flags, or just
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    74
    # use "none".
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    75
    # cert_policy = ca,signature;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    76
    cert_policy = signature;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    77
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    78
    # What kind of token?
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    79
    # The value of the token_type parameter will be used in the user prompt
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    80
    # messages.  The default value is "Smart card".
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    81
    token_type = "Secure token";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    82
  }
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    83
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    84
  # Which mappers ( Cert to login ) to use?
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    85
  # you can use several mappers:
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    86
  #
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    87
  # subject - Cert Subject to login file based mapper
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    88
  # pwent   - CN to getpwent() login or gecos fields mapper
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    89
  # ldap    - LDAP mapper
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    90
  # opensc  - Search certificate in ${HOME}/.eid/authorized_certificates
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    91
  # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    92
  # mail    - Compare email fields from certificate
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    93
  # ms      - Use Microsoft Universal Principal Name extension
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    94
  # krb     - Compare againts Kerberos Principal Name
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    95
  # cn      - Compare Common Name (CN)
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    96
  # uid     - Compare Unique Identifier
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    97
  # digest  - Certificate digest to login (mapfile based) mapper
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    98
  # generic - User defined certificate contents mapped
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
    99
  # null    - blind access/deny mapper
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   100
  #
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   101
  # You can select a comma-separated mapper list.
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   102
  # If used null mapper should be the last in the list :-)
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   103
  # Also you should select at least one mapper, otherwise
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   104
  # certificate will not match :-)
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   105
  # use_mappers = digest, cn, pwent, uid, mail, subject, null;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   106
  use_mappers = cn;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   107
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   108
  # When no absolute path or module info is provided, use this
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   109
  # value as module search path
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   110
  # TODO:
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   111
  # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH 
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   112
  mapper_search_path = /usr/lib/pam_pkcs11;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   113
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   114
  # 
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   115
  # Generic certificate contents mapper
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   116
  mapper generic {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   117
        debug = true;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   118
        module = internal;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   119
        # ignore letter case on match/compare
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   120
        ignorecase = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   121
        # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   122
        cert_item  = cn;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   123
        # Define mapfile if needed, else select "none"
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   124
        mapfile = file:///etc/security/pam_pkcs11/generic_mapping
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   125
        # Decide if use getpwent() to map login
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   126
        use_getpwent = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   127
  }
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   128
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   129
  # Certificate Subject to login based mapper
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   130
  # provided file stores one or more "Subject -> login" lines
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   131
  mapper subject {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   132
	debug = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   133
	module = internal;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   134
	ignorecase = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   135
	mapfile = file:///etc/security/pam_pkcs11/subject_mapping;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   136
  }
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   137
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   138
  # Search public keys from $HOME/.ssh/authorized_keys to match users
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   139
  mapper openssh {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   140
	debug = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   141
	module = /usr/lib/pam_pkcs11/openssh_mapper.so;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   142
  }
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   143
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   144
  # Search certificates from $HOME/.eid/authorized_certificates to match users
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   145
  mapper opensc {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   146
	debug = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   147
	module = /usr/lib/pam_pkcs11/opensc_mapper.so;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   148
  }
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   149
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   150
  # Certificate Common Name ( CN ) to getpwent() mapper
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   151
  mapper pwent {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   152
	debug = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   153
	ignorecase = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   154
	module = internal;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   155
  }
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   156
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   157
  # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody"
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   158
  mapper null {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   159
	debug = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   160
	module = internal ;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   161
	# select behavior: always match, or always fail
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   162
	default_match = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   163
	# on match, select returned user
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   164
        default_user = nobody ;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   165
  }
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   166
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   167
  # Directory ( ldap style ) mapper
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   168
  mapper ldap {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   169
	debug = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   170
	module = /usr/lib/pam_pkcs11/ldap_mapper.so;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   171
	# hostname of ldap server (use LDAP-URI for more then one)
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   172
	ldaphost = "";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   173
	# Port on ldap server to connect, this is also the default
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   174
	#   if no port is given in URI below
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   175
	#   if empty, then 389 for TLS and 636 for SSL is used
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   176
	ldapport = ;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   177
	# space separted list of LDAP URIs (URIs are used by given order)
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   178
	URI = "";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   179
	# Scope of search: 0-2
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   180
	#   Default is 1 = "one", meaning the set of records one
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   181
	#   level below the basedn.
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   182
	#   0 = "base"  means search only the basedn, and
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   183
	#   2 = "sub"  means the union of entries at the "base" level
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   184
	#   and ? all or "one" level below ??? FIXME
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   185
	scope = 2;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   186
	# DN to bind with. Must have read-access for user entries
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   187
	# under "base"
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   188
	binddn = "cn=pam,o=example,c=com";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   189
	# Password for above DN
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   190
	passwd = "";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   191
	# Searchbase for user entries
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   192
	base = "ou=People,o=example,c=com";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   193
	# Attribute of user entry which contains the certificate
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   194
	attribute = "userCertificate";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   195
	# Searchfilter for user entry. Must only let pass user entry
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   196
	# for the login user.
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   197
	filter = "(&(objectClass=posixAccount)(uid=%s))"
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   198
	# SSL/TLS-Switch
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   199
	#   This is a global switch, you can't switch between
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   200
	#   SSL or TLS and non secured connections per URI!
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   201
	#   values: off (standard), tls or on (ssl) or ssl
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   202
	ssl = tls
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   203
	# SSL specific settings
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   204
	# tls_randfile = ...
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   205
	tls_cacertfile = /etc/ssl/cacert.pem
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   206
	# tls_cacertdir = ...
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   207
	tls_checkpeer = 0
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   208
	#tls_ciphers = ...
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   209
	#tls_cert = ...
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   210
	#tls_key = ...
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   211
  }
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   212
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   213
  # Assume common name (CN) to be the login
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   214
  mapper cn {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   215
	debug = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   216
	module = internal;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   217
	ignorecase = true;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   218
	# mapfile = file:///etc/security/pam_pkcs11/cn_map;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   219
	mapfile = "none";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   220
  }
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   221
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   222
  # mail -  Compare email field from certificate
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   223
  mapper mail {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   224
	debug = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   225
	module = internal;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   226
	# Declare mapfile or
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   227
	# leave empty "" or "none" to use no map 
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   228
	mapfile = file:///etc/security/pam_pkcs11/mail_mapping;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   229
	# Some certs store email in uppercase. take care on this
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   230
	ignorecase = true;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   231
	# Also check that host matches mx domain
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   232
	# when using mapfile this feature is ignored
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   233
	ignoredomain = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   234
  }
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   235
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   236
  # ms - Use Microsoft Universal Principal Name extension
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   237
  # UPN is in format [email protected]_Domain. No map is needed, just
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   238
  # check domain name.
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   239
  mapper ms {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   240
	debug = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   241
	module = internal;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   242
	ignorecase = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   243
	ignoredomain = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   244
	domain = "domain.com";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   245
  }
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   246
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   247
  # krb  - Compare againts Kerberos Principal Name
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   248
  mapper krb {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   249
	debug = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   250
	module = internal;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   251
	ignorecase = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   252
	mapfile = "none";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   253
  }
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   254
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   255
  # uid  - Maps Subject Unique Identifier field (if exist) to login
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   256
  mapper uid {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   257
	debug = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   258
	module = internal;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   259
	ignorecase = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   260
	mapfile = "none";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   261
  }
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   262
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   263
  # digest - elaborate certificate digest and map it into a file
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   264
  mapper digest {
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   265
	debug = false;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   266
	module = internal;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   267
	# algorithm used to evaluate certificate digest
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   268
        # Select one of:
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   269
	# "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160"
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   270
	algorithm = "sha1";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   271
	# mapfile = file:///etc/security/pam_pkcs11/digest_mapping;
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   272
	mapfile = "none";
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   273
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   274
  }
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   275
b454e61af367 7050151 migrate pam_pkcs11 from sfw to userland
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff changeset
   276
}