pam_ldap LDAP Actions
=====================

The following list describes the actions on the LDAP server and the affected
LDAP objects and attributes that pam_ldap performs.

The information contained in the list may be used to determine the required
permissions to objects and attributes in the directory.

To be able to fully perform one of the listed action the accounts listed 
below 'Accounts' need read access to the attributes listed below 'Attributes'
and compare access to the attributes listed in the filters below 'Filters'
of all objects in the directory branch that starts at 'Base'.


User Search
-----------
Account:
	VALUE OF rootbinddn 	(if geteuid() == 0 and 'rootbinddn' is set)
	VALUE OF binddn		(if geteuid() != 0 or 'rootbinddn' isn't set)
	anonymous		(if 'binddn' is not set)
* Base:
	VALUE OF nss_base_passwd
	VALUE OF base		(if 'nss_base_passwd' is not set)
* Filter:
	AND combination of the following partial filters:
		VALUE OF pam_filter
		VALUE OF FILTER PART OF nss_base_passwd
		(LoginAttr=UserName)
	    where	
		LoginAttr = VALUE OF pam_login_attribute (default: uid)
		UserName = the account of the user
	    If either 'pam_filter' or 'nss_base_passwd'
	    is not set, the associated part is left out
* Attributes:  
	host
	authorizedService
	uidNumber
	VALUE OF pam_template_login_attribute
	shadowLastChange
	shadowMin
	shadowMax
	shadowWarning
	shadowInactive
	shadowExpire
	shadowFlag

	
Password-Change for a User
--------------------------
Account:
	VALUE OF rootbinddn 	(if geteuid() == 0 and 'rootbinddn' is set)
	user's DN		(as found in the 'User Search')
* Base:
	VALUE OF nss_base_passwd
	    or
	VALUE OF base		(if 'nss_base_passwd' is not set)
* Attributes (write access necessary)
	userPassword		(if 'pam_password' is not set to 'ad')
	unicodePwd		(if 'pam_password' is set to 'ad')
	shadowLastChange


Group Membership Search
-----------------------
* Comment:
	only performed if 'pam_groupdn' is set
* Account:
	VALUE OF rootbinddn 	(if geteuid() == 0 and 'rootbinddn' is set)
	VALUE OF binddn		(if geteuid() != 0 or 'rootbinddn' isn't set)
	anonymous		(if 'binddn' is not set)
* Base:
	VALUE OF pam_groupdn
* Filter:
	(MemberAttr=UserDN)
	    where
		MemberAttr = VALUE OF pam_member_attribute (default: uniqueMember)
		UserDN = user's DN 	(as found in 'User Search')
		

Passwort-Policy Search
----------------------
* Comment:
	only performed if 'pam_lookup_policy' is set to yes
* Account:
	VALUE OF rootbinddn 	(if geteuid() == 0 and 'rootbinddn' is set)
	VALUE OF binddn		(if geteuid() != 0 or 'rootbinddn' isn't set)
	anonymous		(if 'binddn' is not set)
* Base:
	TREE-ROOT
* Filter:
	(objectclass=passwordPolicy)
* Attributes:
	passwordMaxFailure
	passwordMinLength

 
 -- Peter Marschall <peter@adpm.de>
