LDAP-UX Client Services B.04.10 Administrator's Guide (edition 7)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

111

112

113

114

115

116

117

118

119

120

function_name This field defines the function name in the specified <library_name> that

PAM_AUTHZ uses to evaluate certain security policy settings with the

The following describes the valid entries for this field:

• check_rhds_policy: If this option is specified, PAM_AUTHZ

evaluates all the necessary account and password policies settings,

stored in the Netscape/Red Hat Directory Server, for the login user.

• check_ads_policy: If this option is specified, PAM_AUTHZ

evaluates all the necessary account and password policies settings,

stored in theWindows 2000, 2003 or 2003 R2 Active Directory, for the

NOTE: If the status:rhds:check_rhds_policy access rule is configured in the

/etc/opt/ldapux/pam_authz.policy file, you must perform the following tasks:

• Define the allow:unix_local_user access rule in pam_authz.policy to allow the

local user to login.

• Since the status:rhds:check_rhds_policy access rule is guaranteed to match and

return a PAM return code. It is highly recommended to define the

status:rhds:check_rhds_policy access rule at the end of the pam_authz.policy

file. Otherwise, the access rules that are defined after the status access rule will not be

evaluated.

• PAM_AUTHZ may display account and password policy attributes in the syslog file when

the debug option is enabled. You can take proper action to protect the syslog file. For example,

set the syslog file permissions, so that the file can only be accessed or viewed by the power

user.

An Example of Access Rules

The following shows an example of the access rules defined in the

/etc/opt/ldapux/pam_authz.policy file when configuring and using security policy

enforcement for SSH key-pair or r-commands:

allow:unix_local_user

status:rhds:check_rhds_policy

Setting Access Permissions for Global Policy Attributes

In order for PAM_AUTHZ to support security policy enforcement with the Red Hat Directory

server, PAM_AUTHZ needs access to the security policy configuration attributes. These global

policy attributes are all defined under cn=config. Only authorized users can access them. If you

use the PAM_AUTHZ enhancement to support the account and password policy enforcement,

you must configure LDAP-UX with a proxy user and grant this proxy user read and search rights

to search for specific attributes under cn=config. The following example ACI gives a proxy user

permission to read and search all global policy attributes:

aci: (targetattr= "objectclass ||passwordLockout ||passwordUnlock

||passwordMaxFailure ||passwordExp ||passwordMustChange

||nsslapd-pwpolicy-local")

(version 3.0; acl "Proxy global security policy attributes read and

search rights";

allow (read,search)

(userdn = "ldap:///uid=proxyuser,ou=Special Users,o=hp.com");)

For more information about a list of security policy attributes supported by LDAP-UX, see

“Directory Server Security Policies” (page 113).

PAM_AUTHZ Login Authorization 111