Sample config ============= pam_pkcs11.conf: ---------------- (...) # Directory ( ldap style ) mapper mapper ldap { debug = false; module = /usr/lib/pam_pkcs11/ldap_mapper.so; # where base directory resides basedir = /etc/pam_pkcs11/mapdir; # hostname of ldap server ldaphost = "localhost"; # Port on ldap server to connect ldapport = 389; # Scope of search: 0 = x, 1 = y, 2 = z scope = 2; # DN to bind with. Must have read-access for user entries under "base" binddn = "cn=pam,o=example,c=com"; # Password for above DN passwd = "test"; # Searchbase for user entries base = "ou=People,o=example,c=com"; # Attribute of user entry which contains the certificate attribute = "userCertificate"; # Searchfilter for user entry. Must only let pass user entry for the login user. filter = "(&(objectClass=posixAccount)(uid=%s))" } (...) Sample structure of the LDAP entries ==================================== /etc/openldap/slapd.conf: ------------------------- include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args access to dn.base="" by * read access to dn.base="ou=People" by dn=cn=pam,o=example,c=com read access to * by self write by users read by anonymous auth database bdb suffix "o=example,c=com" rootdn "cn=root,o=example,c=com" rootpw {SSHA}**** directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub initial.ldif: ------------- dn: o=example,c=com objectClass: dcObject objectClass: organization o: example dc: example dn: ou=People,o=example,c=com ou: People objectclass: organizationalUnit dn: ou=Groups,o=example,c=com ou: Groups objectclass: organizationalUnit pam.user.ldif: -------------- dn: uid=pam,o=example,c=com uid: pam givenName: Pamela sn: Anderson userPassword: pam loginShell: /bin/false uidNumber: 999999 gidNumber: 999999 homeDirectory: /tmp shadowMin: -1 shadowMax: 999999 shadowWarning: 7 shadowInactive: -1 shadowExpire: -1 shadowFlag: 0 objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson cn: pam sample.user.ldif: ----------------- dn: uid=testuser,ou=People,o=example,c=com uid: testuser givenName: Test sn: User cn: Test User userPassword: abcde loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/testuser shadowMin: -1 shadowMax: 999999 shadowWarning: 7 shadowInactive: -1 shadowExpire: -1 shadowFlag: 0 objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson userCertificate;binary:: MIIELD (...) Bg==