Home

pamldapso

pamldapso is a PAM module designed to authenticate users against an LDAP directory while enabling single sign-on across services on Unix-like systems. By integrating LDAP identity with the PAM stack, it aims to minimize repeated prompts while maintaining centralized user management.

Core features include LDAP-based authentication, support for TLS, configurable bind methods, and flexible search filters for

Implementation and usage: pamldapso is typically distributed as a shared library loaded by PAM service files

Configuration overview: A typical setup specifies an LDAP URI, search base, and user filter, enables TLS, and

Security and status: Because it handles credentials, pamldapso requires careful hardening, including encrypted connections, restricted caching,

See also: pam_ldap, PAM, LDAP, SSSD, Kerberos, Single Sign-On.

users
and
groups.
pamldapso
can
provide
a
transient
session
credential
or
token
to
enable
single
sign-on
across
multiple
PAM-enabled
services
such
as
login,
su,
and
sudo,
depending
on
the
deployment.
It
is
designed
to
work
with
existing
LDAP
deployments
and
can
be
used
alongside
pam_unix,
pam_krb5,
or
SSSD.
in
/etc/pam.d.
It
relies
on
standard
LDAP
libraries
and
is
designed
to
integrate
with
standard
PAM
authentication
flows,
exposing
options
to
set
the
LDAP
URI,
base
DN,
search
scope,
bind
credentials,
and
TLS
settings.
In
deployments
with
SSSD
or
Kerberos,
pamldapso
can
complement
or
coexist
with
those
backends.
configures
token
or
cache
lifetimes.
Service
files
for
login,
su,
and
sudo
would
include
a
pamldapso.so
entry
with
appropriate
control
flags.
Administrators
should
ensure
least
privilege
for
bindings,
proper
certificate
validation,
and
regular
revocation
checks.
auditing,
and
regular
policy
reviews.
As
of
this
writing,
pamldapso
represents
a
conceptual
approach
or
a
niche
project
rather
than
a
broadly
standardized,
widely
adopted
module;
distributors
may
offer
different
implementations
or
alternatives.