2 # Configuration file for pam_pkcs11 module
4 # Original Author: Juan Antonio Martinez <jonsito@teleline.es>
7 # Allow empty passwords
10 # Enable debugging support.
13 # Filename of the PKCS #11 module. The default value is "default"
14 use_pkcs11_module = default;
16 pkcs11_module default {
17 module = /usr/lib/libpkcs11.so;
18 description = "Solaris PKCS#11 Cryptographic Framework library";
21 # You can use "slot_description" or "slot_num", but not both, to specify
22 # the slot to use. Using "slot_description" is preferred because the
23 # PKCS#11 specification does not guarantee slot ordering. "slot_num" should
24 # only be used with those PKCS#11 implementations that guarantee
25 # constant slot numbering.
27 # slot_description = "xxxx"
28 # The slot is specified by the slot description, for example,
29 # slot_description = "Sun Crypto Softtoken". The default value is
30 # "none" which means to use the first slot with an available token.
33 # The slot is specified by the slot number, for example, slot_num = 1.
34 # The default value is zero which means to use the first slot with an
37 # On Solaris OS, an administrator can use the "cryotoadm list -v" command
38 # to find all the available slots and their slot descriptions. For more
39 # information, see the libpkcs11(3LIB) and cryptoadm(1m) man pages.
41 slot_description = "none";
43 # Where are CA certificates stored?
44 # You can setup this value to:
45 # 1- A directory with openssl hash-links to all certificates
46 # 2- A CA file in PEM (.pem) or ASN1 (.cer) format,
47 # containing all allowed CA certs
48 # The default value is /etc/security/pam_pkcs11/cacerts.
49 ca_dir = /etc/security/pam_pkcs11/cacerts;
51 # Path to the directory where the local (offline) CRLs are stored.
52 # Same convention as above is applied: you can choose either
53 # hash-link directory or CRL file
54 # The default value is /etc/security/pam_pkcs11/crls.
55 crl_dir = /etc/security/pam_pkcs11/crls;
57 # Some pcks#11 libraries can handle multithreading. So
58 # set it to true to properly call C_Initialize()
59 support_threads = false;
61 # Sets the Certificate verification policy.
62 # "none" Performs no verification
64 # "crl_online" Downloads the CRL form the location given by the
65 # CRL distribution point extension of the certificate
66 # "crl_offline" Uses the locally stored CRLs
67 # "crl_auto" Is a combination of online and offline; it first
68 # tries to download the CRL from a possibly given CRL
69 # distribution point and if this fails, uses the local
71 # "signature" Does also a signature check to ensure that private
72 # and public key matches
73 # You can use a combination of ca,crl, and signature flags, or just
75 # cert_policy = ca,signature;
76 cert_policy = signature;
79 # The value of the token_type parameter will be used in the user prompt
80 # messages. The default value is "Smart card".
81 token_type = "Secure token";
84 # Which mappers ( Cert to login ) to use?
85 # you can use several mappers:
87 # subject - Cert Subject to login file based mapper
88 # pwent - CN to getpwent() login or gecos fields mapper
90 # opensc - Search certificate in ${HOME}/.eid/authorized_certificates
91 # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys
92 # mail - Compare email fields from certificate
93 # ms - Use Microsoft Universal Principal Name extension
94 # krb - Compare againts Kerberos Principal Name
95 # cn - Compare Common Name (CN)
96 # uid - Compare Unique Identifier
97 # digest - Certificate digest to login (mapfile based) mapper
98 # generic - User defined certificate contents mapped
99 # null - blind access/deny mapper
101 # You can select a comma-separated mapper list.
102 # If used null mapper should be the last in the list :-)
103 # Also you should select at least one mapper, otherwise
104 # certificate will not match :-)
105 # use_mappers = digest, cn, pwent, uid, mail, subject, null;
108 # When no absolute path or module info is provided, use this
109 # value as module search path
111 # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH
112 mapper_search_path = /usr/lib/pam_pkcs11;
115 # Generic certificate contents mapper
119 # ignore letter case on match/compare
121 # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
123 # Define mapfile if needed, else select "none"
124 mapfile = file:///etc/security/pam_pkcs11/generic_mapping
125 # Decide if use getpwent() to map login
126 use_getpwent = false;
129 # Certificate Subject to login based mapper
130 # provided file stores one or more "Subject -> login" lines
135 mapfile = file:///etc/security/pam_pkcs11/subject_mapping;
138 # Search public keys from $HOME/.ssh/authorized_keys to match users
141 module = /usr/lib/pam_pkcs11/openssh_mapper.so;
144 # Search certificates from $HOME/.eid/authorized_certificates to match users
147 module = /usr/lib/pam_pkcs11/opensc_mapper.so;
150 # Certificate Common Name ( CN ) to getpwent() mapper
157 # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody"
161 # select behavior: always match, or always fail
162 default_match = false;
163 # on match, select returned user
164 default_user = nobody ;
167 # Directory ( ldap style ) mapper
170 module = /usr/lib/pam_pkcs11/ldap_mapper.so;
171 # hostname of ldap server (use LDAP-URI for more then one)
173 # Port on ldap server to connect, this is also the default
174 # if no port is given in URI below
175 # if empty, then 389 for TLS and 636 for SSL is used
177 # space separted list of LDAP URIs (URIs are used by given order)
179 # Scope of search: 0-2
180 # Default is 1 = "one", meaning the set of records one
181 # level below the basedn.
182 # 0 = "base" means search only the basedn, and
183 # 2 = "sub" means the union of entries at the "base" level
184 # and ? all or "one" level below ??? FIXME
186 # DN to bind with. Must have read-access for user entries
188 binddn = "cn=pam,o=example,c=com";
189 # Password for above DN
191 # Searchbase for user entries
192 base = "ou=People,o=example,c=com";
193 # Attribute of user entry which contains the certificate
194 attribute = "userCertificate";
195 # Searchfilter for user entry. Must only let pass user entry
196 # for the login user.
197 filter = "(&(objectClass=posixAccount)(uid=%s))"
199 # This is a global switch, you can't switch between
200 # SSL or TLS and non secured connections per URI!
201 # values: off (standard), tls or on (ssl) or ssl
203 # SSL specific settings
205 tls_cacertfile = /etc/ssl/cacert.pem
206 # tls_cacertdir = ...
213 # Assume common name (CN) to be the login
218 # mapfile = file:///etc/security/pam_pkcs11/cn_map;
222 # mail - Compare email field from certificate
227 # leave empty "" or "none" to use no map
228 mapfile = file:///etc/security/pam_pkcs11/mail_mapping;
229 # Some certs store email in uppercase. take care on this
231 # Also check that host matches mx domain
232 # when using mapfile this feature is ignored
233 ignoredomain = false;
236 # ms - Use Microsoft Universal Principal Name extension
237 # UPN is in format login@ADS_Domain. No map is needed, just
243 ignoredomain = false;
244 domain = "domain.com";
247 # krb - Compare againts Kerberos Principal Name
255 # uid - Maps Subject Unique Identifier field (if exist) to login
263 # digest - elaborate certificate digest and map it into a file
267 # algorithm used to evaluate certificate digest
269 # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160"
271 # mapfile = file:///etc/security/pam_pkcs11/digest_mapping;