-
Notifications
You must be signed in to change notification settings - Fork 9
/
pam_hbac.conf.5.txt
85 lines (69 loc) · 3.37 KB
/
pam_hbac.conf.5.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
pam_hbac.conf(5)
================
:revdate: 2016-02-26
NAME
----
pam_hbac.conf - The configuration file of the pam_hbac.so access module
SYNOPSIS
--------
This man page describes the pam_hbac config file, its format and options
FILE FORMAT
-----------
The pam_hbac.conf configuration uses a simple key=value format. Whitespace
on the beginning of the line, at the end of the line and around the equal
sign is ignored. The case of the keys does not matter. The values should not
be quoted as the quotes are not removed and the values are used verbatim.
CONFIGURATION OPTIONS
---------------------
* URI - the LDAP URI pointing to the IPA server. At the moment, only one
value is supported. This is a required option.
** Example: URI = ldap://dc.ipa.domain.test
* BASE - the LDAP search base of your IPA server. This is a required option.
** Example: BASE = dc=ipa,dc=domain,dc=test
* BIND_DN - The default bind DN to use for performing LDAP searches. It
is recommended to create a bind user (see below). This is a required option.
** Example: BIND_DN = uid=hbac,cn=sysaccounts,cn=etc,dc=ipa,dc=domain,dc=test
* BIND_PW - The cleartext password of the account specified in the
`BIND_DN` option. Please note that the pam_hbac.conf file is normally
world-readable, so please don't include a valuable account's password
here. This is a required option.
** Example: BIND_PW = thisisasecret
* HOST_NAME - the host name of the client machine. You should only set
this option if *hostname(1)* reports a different host name than this client
machine has registered with the IPA server
** Example: HOST_NAME = client.ipa.domain.test
* SSL_PATH - Specifies the location of certificates for the Certificate
Authorities that pam_hbac will recognize. On most systems (all that ship with
OpenLDAP libraries), this is a path to a certificate file. On some systems,
like Omnios or older Solaris releases that do not ship OpenLDAP libraries,
this must be a path to a directory containing the NSS database that contains
the certificate. If this option is not set, libldap defaults will be used.
** Example (certificate file): SSL_PATH = /etc/openldap/cacerts/ipa.crt
CREATING A BIND USER
--------------------
Most of the data that pam_hbac reads from the IPA server requires an
authenticated connection. Because at the moment, only a simple bind with a
DN and a password is supported, you might want to create a special bind user
for pam_hbac. To do so, prepare an LDIF file with the following contents:
[source,bash]
dn: uid=hbac,cn=sysaccounts,cn=etc,$DC
objectClass: account
objectClass: simplesecurityobject
objectClass: top
uid: hbac
userPassword: $PASSWORD
Replace the $PASSWORD value with the desired password of the bind user
and $DC with the base DN of your IPA server. Then add this LDIF to the IPA server:
[source,bash]
ldapadd -ZZ -H ldap://$IPA_HOSTNAME -D"cn=Directory Manager" -W < hbac_sysuser.ldif
You will be asked for the Directory Manager password.
PLATFORM-SPECIFIC DOCUMENTATION
-------------------------------
In addition to the man pages that contain information that applies to any OS,
pam_hbac also ships documentation specific to certain platforms. Those docs
can be found either in shipped in the docdir on your OS or online at
https://github.com/jhrozek/pam_hbac/tree/master/doc
SEE ALSO
--------
* *pam_hbac(8)* - A PAM account module that evaluates HBAC rules stored
on an IPA server