7085609 openexr and ilmbase need license file upgrade
7085613 libmng needs license file upgrade
7085624 lighttpd needs TPNO and license file modifications
7085966 iperf needs TPNO and license file modifications
7085948 swig needs TPNO and license file modifications
7085963 tcpdump needs TPNO and license file modifications
7085967 Lua needs TPNO and license file modifications
7123118 libxslt needs TPNO and license file modifications
7123119 libxml2 needs TPNO and license file modifications
7133262 areca needs TPNO and license file modifications
7151922 autogen needs TPNO and license file modifications
#
# Configuration file for pam_pkcs11 module
#
# Original Author: Juan Antonio Martinez <[email protected]>
#
pam_pkcs11 {
# Allow empty passwords
nullok = true;
# Enable debugging support.
debug = true;
# Filename of the PKCS #11 module. The default value is "default"
use_pkcs11_module = default;
pkcs11_module default {
module = /usr/lib/libpkcs11.so;
description = "Solaris PKCS#11 Cryptographic Framework library";
# Which slot to use?
# You can use "slot_description" or "slot_num", but not both, to specify
# the slot to use. Using "slot_description" is preferred because the
# PKCS#11 specification does not guarantee slot ordering. "slot_num" should
# only be used with those PKCS#11 implementations that guarantee
# constant slot numbering.
#
# slot_description = "xxxx"
# The slot is specified by the slot description, for example,
# slot_description = "Sun Crypto Softtoken". The default value is
# "none" which means to use the first slot with an available token.
#
# slot_num = a_number
# The slot is specified by the slot number, for example, slot_num = 1.
# The default value is zero which means to use the first slot with an
# available token.
#
# On Solaris OS, an administrator can use the "cryotoadm list -v" command
# to find all the available slots and their slot descriptions. For more
# information, see the libpkcs11(3LIB) and cryptoadm(1m) man pages.
#
slot_description = "none";
# Where are CA certificates stored?
# You can setup this value to:
# 1- A directory with openssl hash-links to all certificates
# 2- A CA file in PEM (.pem) or ASN1 (.cer) format,
# containing all allowed CA certs
# The default value is /etc/security/pam_pkcs11/cacerts.
ca_dir = /etc/security/pam_pkcs11/cacerts;
# Path to the directory where the local (offline) CRLs are stored.
# Same convention as above is applied: you can choose either
# hash-link directory or CRL file
# The default value is /etc/security/pam_pkcs11/crls.
crl_dir = /etc/security/pam_pkcs11/crls;
# Some pcks#11 libraries can handle multithreading. So
# set it to true to properly call C_Initialize()
support_threads = false;
# Sets the Certificate verification policy.
# "none" Performs no verification
# "ca" Does CA check
# "crl_online" Downloads the CRL form the location given by the
# CRL distribution point extension of the certificate
# "crl_offline" Uses the locally stored CRLs
# "crl_auto" Is a combination of online and offline; it first
# tries to download the CRL from a possibly given CRL
# distribution point and if this fails, uses the local
# CRLs
# "signature" Does also a signature check to ensure that private
# and public key matches
# You can use a combination of ca,crl, and signature flags, or just
# use "none".
# cert_policy = ca,signature;
cert_policy = signature;
# What kind of token?
# The value of the token_type parameter will be used in the user prompt
# messages. The default value is "Smart card".
token_type = "Secure token";
}
# Which mappers ( Cert to login ) to use?
# you can use several mappers:
#
# subject - Cert Subject to login file based mapper
# pwent - CN to getpwent() login or gecos fields mapper
# ldap - LDAP mapper
# opensc - Search certificate in ${HOME}/.eid/authorized_certificates
# openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys
# mail - Compare email fields from certificate
# ms - Use Microsoft Universal Principal Name extension
# krb - Compare againts Kerberos Principal Name
# cn - Compare Common Name (CN)
# uid - Compare Unique Identifier
# digest - Certificate digest to login (mapfile based) mapper
# generic - User defined certificate contents mapped
# null - blind access/deny mapper
#
# You can select a comma-separated mapper list.
# If used null mapper should be the last in the list :-)
# Also you should select at least one mapper, otherwise
# certificate will not match :-)
# use_mappers = digest, cn, pwent, uid, mail, subject, null;
use_mappers = cn;
# When no absolute path or module info is provided, use this
# value as module search path
# TODO:
# This is not still functional: use absolute pathnames or LD_LIBRARY_PATH
mapper_search_path = /usr/lib/pam_pkcs11;
#
# Generic certificate contents mapper
mapper generic {
debug = true;
module = internal;
# ignore letter case on match/compare
ignorecase = false;
# Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
cert_item = cn;
# Define mapfile if needed, else select "none"
mapfile = file:///etc/security/pam_pkcs11/generic_mapping
# Decide if use getpwent() to map login
use_getpwent = false;
}
# Certificate Subject to login based mapper
# provided file stores one or more "Subject -> login" lines
mapper subject {
debug = false;
module = internal;
ignorecase = false;
mapfile = file:///etc/security/pam_pkcs11/subject_mapping;
}
# Search public keys from $HOME/.ssh/authorized_keys to match users
mapper openssh {
debug = false;
module = /usr/lib/pam_pkcs11/openssh_mapper.so;
}
# Search certificates from $HOME/.eid/authorized_certificates to match users
mapper opensc {
debug = false;
module = /usr/lib/pam_pkcs11/opensc_mapper.so;
}
# Certificate Common Name ( CN ) to getpwent() mapper
mapper pwent {
debug = false;
ignorecase = false;
module = internal;
}
# Null ( no map ) mapper. when user as finder matchs to NULL or "nobody"
mapper null {
debug = false;
module = internal ;
# select behavior: always match, or always fail
default_match = false;
# on match, select returned user
default_user = nobody ;
}
# Directory ( ldap style ) mapper
mapper ldap {
debug = false;
module = /usr/lib/pam_pkcs11/ldap_mapper.so;
# hostname of ldap server (use LDAP-URI for more then one)
ldaphost = "";
# Port on ldap server to connect, this is also the default
# if no port is given in URI below
# if empty, then 389 for TLS and 636 for SSL is used
ldapport = ;
# space separted list of LDAP URIs (URIs are used by given order)
URI = "";
# Scope of search: 0-2
# Default is 1 = "one", meaning the set of records one
# level below the basedn.
# 0 = "base" means search only the basedn, and
# 2 = "sub" means the union of entries at the "base" level
# and ? all or "one" level below ??? FIXME
scope = 2;
# DN to bind with. Must have read-access for user entries
# under "base"
binddn = "cn=pam,o=example,c=com";
# Password for above DN
passwd = "";
# Searchbase for user entries
base = "ou=People,o=example,c=com";
# Attribute of user entry which contains the certificate
attribute = "userCertificate";
# Searchfilter for user entry. Must only let pass user entry
# for the login user.
filter = "(&(objectClass=posixAccount)(uid=%s))"
# SSL/TLS-Switch
# This is a global switch, you can't switch between
# SSL or TLS and non secured connections per URI!
# values: off (standard), tls or on (ssl) or ssl
ssl = tls
# SSL specific settings
# tls_randfile = ...
tls_cacertfile = /etc/ssl/cacert.pem
# tls_cacertdir = ...
tls_checkpeer = 0
#tls_ciphers = ...
#tls_cert = ...
#tls_key = ...
}
# Assume common name (CN) to be the login
mapper cn {
debug = false;
module = internal;
ignorecase = true;
# mapfile = file:///etc/security/pam_pkcs11/cn_map;
mapfile = "none";
}
# mail - Compare email field from certificate
mapper mail {
debug = false;
module = internal;
# Declare mapfile or
# leave empty "" or "none" to use no map
mapfile = file:///etc/security/pam_pkcs11/mail_mapping;
# Some certs store email in uppercase. take care on this
ignorecase = true;
# Also check that host matches mx domain
# when using mapfile this feature is ignored
ignoredomain = false;
}
# ms - Use Microsoft Universal Principal Name extension
# UPN is in format login@ADS_Domain. No map is needed, just
# check domain name.
mapper ms {
debug = false;
module = internal;
ignorecase = false;
ignoredomain = false;
domain = "domain.com";
}
# krb - Compare againts Kerberos Principal Name
mapper krb {
debug = false;
module = internal;
ignorecase = false;
mapfile = "none";
}
# uid - Maps Subject Unique Identifier field (if exist) to login
mapper uid {
debug = false;
module = internal;
ignorecase = false;
mapfile = "none";
}
# digest - elaborate certificate digest and map it into a file
mapper digest {
debug = false;
module = internal;
# algorithm used to evaluate certificate digest
# Select one of:
# "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160"
algorithm = "sha1";
# mapfile = file:///etc/security/pam_pkcs11/digest_mapping;
mapfile = "none";
}
}