Sample config
=============
pam_pkcs11.conf:
----------------
(...)
# Directory ( ldap style ) mapper
mapper ldap {
debug = false;
module = /usr/lib/pam_pkcs11/ldap_mapper.so;
# where base directory resides
basedir = /etc/pam_pkcs11/mapdir;
# hostname of ldap server
ldaphost = "localhost";
# Port on ldap server to connect
ldapport = 389;
# Scope of search: 0 = x, 1 = y, 2 = z
scope = 2;
# DN to bind with. Must have read-access for user entries under "base"
binddn = "cn=pam,o=example,c=com";
# Password for above DN
passwd = "test";
# Searchbase for user entries
base = "ou=People,o=example,c=com";
# Attribute of user entry which contains the certificate
attribute = "userCertificate";
# Searchfilter for user entry. Must only let pass user entry for the login user.
filter = "(&(objectClass=posixAccount)(uid=%s))"
}
(...)
Sample structure of the LDAP entries
====================================
/etc/openldap/slapd.conf:
-------------------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
access to dn.base="" by * read
access to dn.base="ou=People" by dn=cn=pam,o=example,c=com read
access to *
by self write
by users read
by anonymous auth
database bdb
suffix "o=example,c=com"
rootdn "cn=root,o=example,c=com"
rootpw {SSHA}****
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
initial.ldif:
-------------
dn: o=example,c=com
objectClass: dcObject
objectClass: organization
o: example
dc: example
dn: ou=People,o=example,c=com
ou: People
objectclass: organizationalUnit
dn: ou=Groups,o=example,c=com
ou: Groups
objectclass: organizationalUnit
pam.user.ldif:
--------------
dn: uid=pam,o=example,c=com
uid: pam
givenName: Pamela
sn: Anderson
userPassword: pam
loginShell: /bin/false
uidNumber: 999999
gidNumber: 999999
homeDirectory: /tmp
shadowMin: -1
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: pam
sample.user.ldif:
-----------------
dn: uid=testuser,ou=People,o=example,c=com
uid: testuser
givenName: Test
sn: User
cn: Test User
userPassword: abcde
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/testuser
shadowMin: -1
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
userCertificate;binary:: MIIELD
(...)
Bg==
