equal
deleted
inserted
replaced
12 |
12 |
13 # Filename of the PKCS #11 module. The default value is "default" |
13 # Filename of the PKCS #11 module. The default value is "default" |
14 use_pkcs11_module = default; |
14 use_pkcs11_module = default; |
15 |
15 |
16 pkcs11_module default { |
16 pkcs11_module default { |
17 module = /usr/lib/libpkcs11.so; |
17 module = /usr/lib/$ISA/libpkcs11.so; |
18 description = "Solaris PKCS#11 Cryptographic Framework library"; |
18 description = "Solaris PKCS#11 Cryptographic Framework library"; |
19 |
19 |
20 # Which slot to use? |
20 # Which slot to use? |
21 # You can use "slot_description" or "slot_num", but not both, to specify |
21 # You can use "slot_description" or "slot_num", but not both, to specify |
22 # the slot to use. Using "slot_description" is preferred because the |
22 # the slot to use. Using "slot_description" is preferred because the |
34 # The default value is zero which means to use the first slot with an |
34 # The default value is zero which means to use the first slot with an |
35 # available token. |
35 # available token. |
36 # |
36 # |
37 # On Solaris OS, an administrator can use the "cryotoadm list -v" command |
37 # On Solaris OS, an administrator can use the "cryotoadm list -v" command |
38 # to find all the available slots and their slot descriptions. For more |
38 # to find all the available slots and their slot descriptions. For more |
39 # information, see the libpkcs11(3LIB) and cryptoadm(1m) man pages. |
39 # information, see the libpkcs11(3LIB) and cryptoadm(8) man pages. |
40 # |
40 # |
41 slot_description = "none"; |
41 slot_description = "none"; |
42 |
42 |
43 # Where are CA certificates stored? |
43 # Where are CA certificates stored? |
44 # You can setup this value to: |
44 # You can setup this value to: |
77 |
77 |
78 # What kind of token? |
78 # What kind of token? |
79 # The value of the token_type parameter will be used in the user prompt |
79 # The value of the token_type parameter will be used in the user prompt |
80 # messages. The default value is "Smart card". |
80 # messages. The default value is "Smart card". |
81 token_type = "Secure token"; |
81 token_type = "Secure token"; |
|
82 |
|
83 # The err_display_time option suspends execution for an interval of time |
|
84 # in seconds after each PAM message is shown. |
|
85 err_display_time = 0; |
|
86 |
|
87 # The quiet option can be used to disable error messages. |
|
88 quiet = false; |
82 } |
89 } |
83 |
90 |
84 # Which mappers ( Cert to login ) to use? |
91 # Which mappers ( Cert to login ) to use? |
85 # you can use several mappers: |
92 # you can use several mappers: |
86 # |
93 # |
107 |
114 |
108 # When no absolute path or module info is provided, use this |
115 # When no absolute path or module info is provided, use this |
109 # value as module search path |
116 # value as module search path |
110 # TODO: |
117 # TODO: |
111 # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH |
118 # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH |
112 mapper_search_path = /usr/lib/pam_pkcs11; |
119 mapper_search_path = /usr/lib/pam_pkcs11/$ISA; |
113 |
120 |
114 # |
121 # |
115 # Generic certificate contents mapper |
122 # Generic certificate contents mapper |
116 mapper generic { |
123 mapper generic { |
117 debug = true; |
124 debug = true; |
136 } |
143 } |
137 |
144 |
138 # Search public keys from $HOME/.ssh/authorized_keys to match users |
145 # Search public keys from $HOME/.ssh/authorized_keys to match users |
139 mapper openssh { |
146 mapper openssh { |
140 debug = false; |
147 debug = false; |
141 module = /usr/lib/pam_pkcs11/openssh_mapper.so; |
148 module = /usr/lib/pam_pkcs11/$ISA/openssh_mapper.so; |
142 } |
149 } |
143 |
150 |
144 # Search certificates from $HOME/.eid/authorized_certificates to match users |
151 # Search certificates from $HOME/.eid/authorized_certificates to match users |
145 mapper opensc { |
152 mapper opensc { |
146 debug = false; |
153 debug = false; |
147 module = /usr/lib/pam_pkcs11/opensc_mapper.so; |
154 module = /usr/lib/pam_pkcs11/$ISA/opensc_mapper.so; |
148 } |
155 } |
149 |
156 |
150 # Certificate Common Name ( CN ) to getpwent() mapper |
157 # Certificate Common Name ( CN ) to getpwent() mapper |
151 mapper pwent { |
158 mapper pwent { |
152 debug = false; |
159 debug = false; |
165 } |
172 } |
166 |
173 |
167 # Directory ( ldap style ) mapper |
174 # Directory ( ldap style ) mapper |
168 mapper ldap { |
175 mapper ldap { |
169 debug = false; |
176 debug = false; |
170 module = /usr/lib/pam_pkcs11/ldap_mapper.so; |
177 |
|
178 # The path of the ldap_mapper.so module |
|
179 # |
|
180 # Two versions of ldap_mapper.so are available: |
|
181 # |
|
182 # - ldap_mapper.so built with the Mozilla LDAP |
|
183 # libraries and the default. |
|
184 # |
|
185 # - openldap_mapper.so built only for Solaris 11 with |
|
186 # the OpenLDAP libraries. |
|
187 # |
|
188 # Mozilla LDAP version: |
|
189 # /usr/lib/pam_pcks11/$ISA/ldap_mapper.so |
|
190 # |
|
191 # OpenLDAP version for Solaris 11 only: |
|
192 # /usr/lib/pam_pkcs11/$ISA/openldap_mapper.so; |
|
193 # |
|
194 module = /usr/lib/pam_pkcs11/$ISA/ldap_mapper.so; |
|
195 |
171 # hostname of ldap server (use LDAP-URI for more then one) |
196 # hostname of ldap server (use LDAP-URI for more then one) |
172 ldaphost = ""; |
197 ldaphost = ""; |
173 # Port on ldap server to connect, this is also the default |
198 # Port on ldap server to connect, this is also the default |
174 # if no port is given in URI below |
199 # if no port is given in URI below |
175 # if empty, then 389 for TLS and 636 for SSL is used |
200 # if empty, then 389 for TLS and 636 for SSL is used |