added full ldap/kerberos support to authnz module, add mam as exemple

conf/includes/legos.conf.sh

@@ -23,3 +23,7 @@ export NTP_SERVERS="ntp1.$REALM ntp2.$REALM"
 
 # Relay mail
 export MAIL_RELAY="smpt.$REALM"
+
+# Authentification
+export BASE_DC="dc=legos,dc=obs-mip,dc=fr"
+# To be continued

conf/includes/mam.conf.sh

@@ -0,0 +1,24 @@
+# Genral use variables
+# Domaine Mixart Myrys
+export REALM="mixart-myrys.org"
+
+# Conf_ntp variables
+export NTPSERVERS="ntp1.$REALM ntp2.$REALM"
+
+# Upgrade_dist variables
+export PROXYAPT="acng.$REALM"
+export PROXYAPTPORT="3142"
+
+# Authnz variables
+export DEFAULT_SHELL="/bin/bash"
+
+# Conf_locales viriables
+export LOCALESET="en_US.UTF-8 fr_FR.UTF-8"
+export SYSLOCALE="fr_FR.UTF-8"
+
+# Authentification
+export BASE_DC="dc=mixart-myrys,dc=org"
+export KDC_SERVER="kerb.$REALM"
+export KADM_SERVER="kerb.$REALM"
+export LDAP_SERVER="ldap.$REALM"
+export LDAP_ADM="admin"

modules/authnz.sh

@@ -8,7 +8,12 @@
 # https://opensource.org/licenses/BSD-3-Clause
 # ------------------------------------------------------------------------------
 # Variable:
+#  * REALM: Domain (must be kerberos real if using Kerberos)
 #  * WITH_LDAP_KERB: Shall we install requirements for LDAP/Kerberos auth ?
+#      * KDC_SERVER: Kerberos domain controler KADM_SERVER
+#      * KADM_SERVER: Administrative Kerberos KADM_SERVER
+#      * BASE_DC: Domain in LDAP format
+#      * LDAP_SERVER: LDAP server
 #  * REMOTE_USERS: List of remote users to add
 #  * LOCAL_USERS: List of local users to create
 #  * REMOVE_USERS: List of username to remove
@@ -59,8 +64,20 @@ authnz()
             /etc/nsswitch.conf /etc/pam.d/common-session \
             /etc/pam.d/common-account /etc/pam.d/common-password \
             /etc/pam.d/common-auth
-        installfile krb5.conf libnss-ldap.conf pam_ldap.conf nsswitch.conf /etc
+        installfile authnz/krb5.conf authnz/libnss-ldap.conf \
-        installfile common-session common-account common-password common-auth \
+            authnz/pam_ldap.conf authnz/nsswitch.conf /etc
+
+        sed -i -e "s/@REALM@/${REALM^^}/g" -e "s/@DOMAIN@/$REALM/g" \
+            -e "s/@KDC_SERVER@/$KDC_SERVER/" -e "s/@KADM_SERVER@/$KADM_SERVER/" \
+            /etc/krb5.conf
+        sed -i -e "s/@BASE_CD@/$BASE_DC@/" -e "s/@LDAP_SERVER@/$LDAP_SERVER/" \
+            /etc/libnss-ldap.conf
+        sed -i -e "s/@BASE_CD@/$BASE_DC@/g" -e "s/@LDAP_SERVER@/$LDAP_SERVER/" \
+            -e "s/@LDAP_ADM@/$LDAP_ADM/" /etc/libnss-ldap.conf
+
+
+        installfile authnz/common-session authnz/common-account \
+            authnz/common-password authnz/common-auth \
             /etc/pam.d
 
         scv_restart nscd
@@ -85,6 +102,11 @@ precheck_authnz()
 {
     if [[ $WITH_LDAP_KERB == "yes" ]]; then
         if [[ -n $REMOTE_USERS ]]; then
+            if [[ -z $KDC_SERVER || -z $KADM_SERVER || -z $BASE_CD || \
+                -z $LDAP_SERVER || -z $LDAP_ADM ]]; then
+                prnt E "A variable related to authentication is missing!"
+                die 109
+            fi
             prnt I "The following distant users will be accessible:"
             prnt m "\t* $REMOTE_USERS"
         else

repo/common/authnz/common-account

@@ -0,0 +1,26 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system.  The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so
+# here's the fallback if no module succeeds
+account	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+account	required			pam_krb5.so minimum_uid=1000
+# end of pam-auth-update config

repo/common/authnz/common-auth

@@ -0,0 +1,28 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# Kerberos support
+#auth	sufficient			pam_krb5.so use_first_pass ignore_root forwardable
+# here are the per-package modules (the "Primary" block)
+auth	[success=2 default=ignore]	pam_krb5.so
+auth	[success=1 default=ignore]	pam_unix.so nullok_secure try_first_pass
+# here's the fallback if no module succeeds
+auth	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

repo/common/authnz/common-password

@@ -0,0 +1,34 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords.  Without this option,
+# the default is Unix crypt.  Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+password	[success=2 default=ignore]	pam_krb5.so minimum_uid=1000
+password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
+# here's the fallback if no module succeeds
+password	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

repo/common/authnz/common-session

@@ -0,0 +1,29 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session	[default=1]			pam_permit.so
+# here's the fallback if no module succeeds
+session	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session	optional			pam_krb5.so minimum_uid=1000
+session	required			pam_unix.so
+
+# Create homedir if needed
+session required			pam_mkhomedir.so skel=/etc/skel/ umask=0022
+# end of pam-auth-update config

repo/common/authnz/krb5.conf

@@ -0,0 +1,36 @@
+[libdefaults]
+	default_realm = @REALM@
+
+# The following krb5.conf variables are only for MIT Kerberos.
+	kdc_timesync = 1
+	ccache_type = 4
+	forwardable = true
+	proxiable = true
+
+# The following encryption type specification will be used by MIT Kerberos
+# if uncommented.  In general, the defaults in the MIT Kerberos code are
+# correct and overriding these specifications only serves to disable new
+# encryption types as they are added, creating interoperability problems.
+#
+# The only time when you might need to uncomment these lines and change
+# the enctypes is if you have local software that will break on ticket
+# caches containing ticket encryption types it doesn't know about (such as
+# old versions of Sun Java).
+
+#	default_tgs_enctypes = des3-hmac-sha1
+#	default_tkt_enctypes = des3-hmac-sha1
+#	permitted_enctypes = des3-hmac-sha1
+
+# The following libdefaults parameters are only for Heimdal Kerberos.
+	fcc-mit-ticketflags = true
+
+[realms]
+	MIXART-MYRYS.ORG = {
+		kdc = @KDC_SERVER@
+		admin_server = @KADM_SERVER@
+	}
+
+[domain_realm]
+	.@DOMAIN@ = @REALM@
+	@DOMAIN@ = @REALM@
+

repo/common/authnz/libnss-ldap.conf

@@ -0,0 +1,323 @@
+###DEBCONF###
+# The configuration of this file will be done by debconf as long as the
+# first line of the file says '###DEBCONF###'.
+#
+# You should use dpkg-reconfigure libnss-ldap to configure this file.
+#
+# @(#)$Id: ldap.conf,v 2.49 2009/04/25 01:53:15 lukeh Exp $
+#
+# This is the configuration file for the LDAP nameservice
+# switch library and the LDAP PAM module.
+#
+# PADL Software
+# http://www.padl.com
+#
+
+# Your LDAP server. Must be resolvable without using LDAP.
+# Multiple hosts may be specified, each separated by a 
+# space. How long nss_ldap takes to failover depends on
+# whether your LDAP client library supports configurable
+# network or connect timeouts (see bind_timelimit).
+#host 127.0.0.1
+
+# The distinguished name of the search base.
+base @BASE_DC@
+
+# Another way to specify your LDAP server is to provide an
+uri ldap://@LDAP_SERVER@/
+# Unix Domain Sockets to connect to a local LDAP Server.
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/   
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+ldap_version 3
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+# Please do not put double quotes around it as they
+# would be included literally.
+#binddn cn=proxyuser,dc=padl,dc=com
+
+# The credentials to bind with. 
+# Optional: default is no credential.
+#bindpw secret
+
+# The distinguished name to bind to the server with
+# if the effective user ID is root. Password is
+# stored in /etc/libnss-ldap.secret (mode 600)
+# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
+# of an editor to create the file.
+#rootbinddn cn=admin,dc=example,dc=net
+
+# The port.
+# Optional: default is 389.
+#port 389
+
+# The search scope.
+#scope sub
+#scope one
+#scope base
+
+# Search timelimit in seconds (0 for indefinite; default 0)
+#timelimit 0
+
+# Bind/connect timelimit (0 for indefinite; default 30)
+#bind_timelimit 30
+
+# Reconnect policy:
+#  hard_open: reconnect to DSA with exponential backoff if
+#             opening connection failed
+#  hard_init: reconnect to DSA with exponential backoff if
+#             initializing connection failed
+#  hard:      alias for hard_open
+#  soft:      return immediately on server failure
+#bind_policy hard
+
+# Connection policy:
+#  persist:   DSA connections are kept open (default)
+#  oneshot:   DSA connections destroyed after request
+#nss_connect_policy persist
+
+# Idle timelimit; client will close connections
+# (nss_ldap only) if the server has not been contacted
+# for the number of seconds specified below.
+#idle_timelimit 3600
+
+# Use paged rseults
+#nss_paged_results yes
+
+# Pagesize: when paged results enable, used to set the
+# pagesize to a custom value
+#pagesize 1000
+
+# Filter to AND with uid=%s
+#pam_filter objectclass=account
+
+# The user ID attribute (defaults to uid)
+#pam_login_attribute uid
+
+# Search the root DSE for the password policy (works
+# with Netscape Directory Server)
+#pam_lookup_policy yes
+
+# Check the 'host' attribute for access control
+# Default is no; if set to yes, and user has no
+# value for the host attribute, and pam_ldap is
+# configured for account management (authorization)
+# then the user will not be allowed to login.
+#pam_check_host_attr yes
+
+# Check the 'authorizedService' attribute for access
+# control
+# Default is no; if set to yes, and the user has no
+# value for the authorizedService attribute, and
+# pam_ldap is configured for account management
+# (authorization) then the user will not be allowed
+# to login.
+#pam_check_service_attr yes
+
+# Group to enforce membership of
+#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
+
+# Group member attribute
+#pam_member_attribute uniquemember
+
+# Specify a minium or maximum UID number allowed
+#pam_min_uid 0
+#pam_max_uid 0
+
+# Template login attribute, default template user
+# (can be overriden by value of former attribute
+# in user's entry)
+#pam_login_attribute userPrincipalName
+#pam_template_login_attribute uid
+#pam_template_login nobody
+
+# HEADS UP: the pam_crypt, pam_nds_passwd,
+# and pam_ad_passwd options are no
+# longer supported.
+#
+# Do not hash the password at all; presume
+# the directory server will do it, if
+# necessary. This is the default.
+#pam_password clear
+
+# Hash password locally; required for University of
+# Michigan LDAP server, and works with Netscape
+# Directory Server if you're using the UNIX-Crypt
+# hash mechanism and not using the NT Synchronization
+# service. 
+#pam_password crypt
+
+# Remove old password first, then update in
+# cleartext. Necessary for use with Novell
+# Directory Services (NDS)
+#pam_password nds
+
+# RACF is an alias for the above. For use with
+# IBM RACF
+#pam_password racf
+
+# Update Active Directory password, by
+# creating Unicode password and updating
+# unicodePwd attribute.
+#pam_password ad
+
+# Use the OpenLDAP password change
+# extended operation to update the password.
+#pam_password exop
+
+# Redirect users to a URL or somesuch on password
+# changes.
+#pam_password_prohibit_message Please visit http://internal to change your password.
+
+# Use backlinks for answering initgroups()
+#nss_initgroups backlink
+
+# Enable support for RFC2307bis (distinguished names in group
+# members)
+#nss_schema rfc2307bis
+
+# RFC2307bis naming contexts
+# Syntax:
+# nss_base_XXX		base?scope?filter
+# where scope is {base,one,sub}
+# and filter is a filter to be &'d with the
+# default filter.
+# You can omit the suffix eg:
+# nss_base_passwd	ou=People,
+# to append the default base DN but this
+# may incur a small performance impact.
+#nss_base_passwd	ou=People,dc=padl,dc=com?one
+#nss_base_shadow	ou=People,dc=padl,dc=com?one
+#nss_base_group		ou=Group,dc=padl,dc=com?one
+#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
+#nss_base_services	ou=Services,dc=padl,dc=com?one
+#nss_base_networks	ou=Networks,dc=padl,dc=com?one
+#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
+#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
+#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
+#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
+#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
+#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
+#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one
+
+# attribute/objectclass mapping
+# Syntax:
+#nss_map_attribute	rfc2307attribute	mapped_attribute
+#nss_map_objectclass	rfc2307objectclass	mapped_objectclass
+
+# configure --enable-nds is no longer supported.
+# NDS mappings
+#nss_map_attribute uniqueMember member
+
+# Services for UNIX 3.5 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount User
+#nss_map_attribute uid msSFU30Name
+#nss_map_attribute uniqueMember msSFU30PosixMember
+#nss_map_attribute userPassword msSFU30Password
+#nss_map_attribute homeDirectory msSFU30HomeDirectory
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_objectclass posixGroup Group
+#pam_login_attribute msSFU30Name
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-mssfu-schema is no longer supported.
+# Services for UNIX 2.0 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid msSFUName
+#nss_map_attribute uniqueMember posixMember
+#nss_map_attribute userPassword msSFUPassword
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup Group
+#nss_map_attribute cn msSFUName
+#pam_login_attribute msSFUName
+#pam_filter objectclass=User
+#pam_password ad
+
+# RFC 2307 (AD) mappings
+#nss_map_objectclass posixAccount user
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid sAMAccountName
+#nss_map_attribute homeDirectory unixHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup group
+#nss_map_attribute uniqueMember member
+#pam_login_attribute sAMAccountName
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-authpassword is no longer supported
+# AuthPassword mappings
+#nss_map_attribute userPassword authPassword
+
+# AIX SecureWay mappings
+#nss_map_objectclass posixAccount aixAccount
+#nss_base_passwd ou=aixaccount,?one
+#nss_map_attribute uid userName
+#nss_map_attribute gidNumber gid
+#nss_map_attribute uidNumber uid
+#nss_map_attribute userPassword passwordChar
+#nss_map_objectclass posixGroup aixAccessGroup
+#nss_base_group ou=aixgroup,?one
+#nss_map_attribute cn groupName
+#nss_map_attribute uniqueMember member
+#pam_login_attribute userName
+#pam_filter objectclass=aixAccount
+#pam_password clear
+
+# For pre-RFC2307bis automount schema
+#nss_map_objectclass automountMap nisMap
+#nss_map_attribute automountMapName nisMapName
+#nss_map_objectclass automount nisObject
+#nss_map_attribute automountKey cn
+#nss_map_attribute automountInformation nisMapEntry
+
+# Netscape SDK LDAPS
+#ssl on
+
+# Netscape SDK SSL options
+#sslpath /etc/ssl/certs
+
+# OpenLDAP SSL mechanism
+# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
+#ssl start_tls
+#ssl on
+
+# OpenLDAP SSL options
+# Require and verify server certificate (yes/no)
+# Default is to use libldap's default behavior, which can be configured in
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
+#tls_checkpeer yes
+
+# CA certificates for server certificate verification
+# At least one of these are required if tls_checkpeer is "yes"
+#tls_cacertfile /etc/ssl/ca.cert
+#tls_cacertdir /etc/ssl/certs
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# Disable SASL security layers. This is needed for AD.
+#sasl_secprops maxssf=0
+
+# Override the default Kerberos ticket cache location.
+#krb5_ccname FILE:/etc/.ldapcache
+

repo/common/authnz/nsswitch.conf

@@ -0,0 +1,27 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd:         compat
+passwd_compat:	ldap
+
+shadow:         compat
+shadow_compat:	ldap
+
+group:          files ldap
+
+gshadow:        files
+
+hosts:          dns files
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       ldap
+
+aliases:	files ldap

repo/common/authnz/pam_ldap.conf

@@ -0,0 +1,293 @@
+###DEBCONF###
+# the configuration of this file will be done by debconf as long as the
+# first line of the file says '###DEBCONF###'
+#
+# you should use dpkg-reconfigure to configure this file
+#
+# @(#)$Id: pam_ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
+#
+# This is the configuration file for the LDAP nameservice
+# switch library and the LDAP PAM module.
+#
+# PADL Software
+# http://www.padl.com
+#
+
+# Your LDAP server. Must be resolvable without using LDAP.
+# Multiple hosts may be specified, each separated by a 
+# space. How long nss_ldap takes to failover depends on
+# whether your LDAP client library supports configurable
+# network or connect timeouts (see bind_timelimit).
+#host 127.0.0.1
+
+# The distinguished name of the search base.
+base dc=@BASE_DC@
+
+# Another way to specify your LDAP server is to provide an
+uri ldap://@LDAP_SERVER@/
+# Unix Domain Sockets to connect to a local LDAP Server.
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/   
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+ldap_version 3
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+#binddn cn=proxyuser,dc=padl,dc=com
+
+# The credentials to bind with. 
+# Optional: default is no credential.
+#bindpw secret
+
+# The distinguished name to bind to the server with
+# if the effective user ID is root. Password is
+# stored in /etc/pam_ldap.secret (mode 600)
+rootbinddn cn=@LDAP_ADM@,@BASE_DC@
+
+# The port.
+# Optional: default is 389.
+#port 389
+
+# The search scope.
+#scope sub
+#scope one
+#scope base
+
+# Search timelimit
+#timelimit 30
+
+# Bind/connect timelimit
+#bind_timelimit 30
+
+# Reconnect policy: hard (default) will retry connecting to
+# the software with exponential backoff, soft will fail
+# immediately.
+#bind_policy hard
+
+# Idle timelimit; client will close connections
+# (nss_ldap only) if the server has not been contacted
+# for the number of seconds specified below.
+#idle_timelimit 3600
+
+# Filter to AND with uid=%s
+#pam_filter objectclass=account
+
+# The user ID attribute (defaults to uid)
+#pam_login_attribute uid
+
+# Search the root DSE for the password policy (works
+# with Netscape Directory Server)
+#pam_lookup_policy yes
+
+# Check the 'host' attribute for access control
+# Default is no; if set to yes, and user has no
+# value for the host attribute, and pam_ldap is
+# configured for account management (authorization)
+# then the user will not be allowed to login.
+#pam_check_host_attr yes
+
+# Check the 'authorizedService' attribute for access
+# control
+# Default is no; if set to yes, and the user has no
+# value for the authorizedService attribute, and
+# pam_ldap is configured for account management
+# (authorization) then the user will not be allowed
+# to login.
+#pam_check_service_attr yes
+
+# Group to enforce membership of
+#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
+
+# Group member attribute
+#pam_member_attribute uniquemember
+
+# Specify a minium or maximum UID number allowed
+#pam_min_uid 0
+#pam_max_uid 0
+
+# Template login attribute, default template user
+# (can be overriden by value of former attribute
+# in user's entry)
+#pam_login_attribute userPrincipalName
+#pam_template_login_attribute uid
+#pam_template_login nobody
+
+# HEADS UP: the pam_crypt, pam_nds_passwd,
+# and pam_ad_passwd options are no
+# longer supported.
+#
+# Do not hash the password at all; presume
+# the directory server will do it, if
+# necessary. This is the default.
+pam_password md5
+
+# Hash password locally; required for University of
+# Michigan LDAP server, and works with Netscape
+# Directory Server if you're using the UNIX-Crypt
+# hash mechanism and not using the NT Synchronization
+# service. 
+#pam_password crypt
+
+# Remove old password first, then update in
+# cleartext. Necessary for use with Novell
+# Directory Services (NDS)
+#pam_password clear_remove_old
+#pam_password nds
+
+# RACF is an alias for the above. For use with
+# IBM RACF
+#pam_password racf
+
+# Update Active Directory password, by
+# creating Unicode password and updating
+# unicodePwd attribute.
+#pam_password ad
+
+# Use the OpenLDAP password change
+# extended operation to update the password.
+#pam_password exop
+
+# Redirect users to a URL or somesuch on password
+# changes.
+#pam_password_prohibit_message Please visit http://internal to change your password.
+
+# RFC2307bis naming contexts
+# Syntax:
+# nss_base_XXX		base?scope?filter
+# where scope is {base,one,sub}
+# and filter is a filter to be &'d with the
+# default filter.
+# You can omit the suffix eg:
+# nss_base_passwd	ou=People,
+# to append the default base DN but this
+# may incur a small performance impact.
+#nss_base_passwd	ou=People,dc=padl,dc=com?one
+#nss_base_shadow	ou=People,dc=padl,dc=com?one
+#nss_base_group		ou=Group,dc=padl,dc=com?one
+#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
+#nss_base_services	ou=Services,dc=padl,dc=com?one
+#nss_base_networks	ou=Networks,dc=padl,dc=com?one
+#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
+#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
+#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
+#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
+#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
+#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
+#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one
+
+# attribute/objectclass mapping
+# Syntax:
+#nss_map_attribute	rfc2307attribute	mapped_attribute
+#nss_map_objectclass	rfc2307objectclass	mapped_objectclass
+
+# configure --enable-nds is no longer supported.
+# NDS mappings
+#nss_map_attribute uniqueMember member
+
+# Services for UNIX 3.5 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount User
+#nss_map_attribute uid msSFU30Name
+#nss_map_attribute uniqueMember msSFU30PosixMember
+#nss_map_attribute userPassword msSFU30Password
+#nss_map_attribute homeDirectory msSFU30HomeDirectory
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_objectclass posixGroup Group
+#pam_login_attribute msSFU30Name
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-mssfu-schema is no longer supported.
+# Services for UNIX 2.0 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid msSFUName
+#nss_map_attribute uniqueMember posixMember
+#nss_map_attribute userPassword msSFUPassword
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup Group
+#nss_map_attribute cn msSFUName
+#pam_login_attribute msSFUName
+#pam_filter objectclass=User
+#pam_password ad
+
+# RFC 2307 (AD) mappings
+#nss_map_objectclass posixAccount user
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid sAMAccountName
+#nss_map_attribute homeDirectory unixHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup group
+#nss_map_attribute uniqueMember member
+#pam_login_attribute sAMAccountName
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-authpassword is no longer supported
+# AuthPassword mappings
+#nss_map_attribute userPassword authPassword
+
+# AIX SecureWay mappings
+#nss_map_objectclass posixAccount aixAccount
+#nss_base_passwd ou=aixaccount,?one
+#nss_map_attribute uid userName
+#nss_map_attribute gidNumber gid
+#nss_map_attribute uidNumber uid
+#nss_map_attribute userPassword passwordChar
+#nss_map_objectclass posixGroup aixAccessGroup
+#nss_base_group ou=aixgroup,?one
+#nss_map_attribute cn groupName
+#nss_map_attribute uniqueMember member
+#pam_login_attribute userName
+#pam_filter objectclass=aixAccount
+#pam_password clear
+
+# Netscape SDK LDAPS
+#ssl on
+
+# Netscape SDK SSL options
+#sslpath /etc/ssl/certs
+
+# OpenLDAP SSL mechanism
+# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
+#ssl start_tls
+#ssl on
+
+# OpenLDAP SSL options
+# Require and verify server certificate (yes/no)
+# Default is to use libldap's default behavior, which can be configured in
+# /etc/openldap/pam_ldap.conf using the TLS_REQCERT setting.  The default for
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
+#tls_checkpeer yes
+
+# CA certificates for server certificate verification
+# At least one of these are required if tls_checkpeer is "yes"
+#tls_cacertfile /etc/ssl/ca.cert
+#tls_cacertdir /etc/ssl/certs
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# Disable SASL security layers. This is needed for AD.
+#sasl_secprops maxssf=0
+
+# Override the default Kerberos ticket cache location.
+#krb5_ccname FILE:/etc/.ldapcache
+
+# SASL mechanism for PAM authentication - use is experimental
+# at present and does not support password policy control
+#pam_sasl_mech DIGEST-MD5