LDAP-UX Client Services B.04.10 Administrator's Guide (edition 7)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

111

112

113

114

115

116

117

118

119

120

Configuring PAM Configuration File

If you want to use PAM_AUTHZ to support enforcement of account and password policies,

stored in the Netscape/Red Hat Directory Server, you must define the pam_authz library and

the rcommand option in the /etc/pam.conf file for the sshd and rcomds services under the

account management section. In addition, the control flag for the pam_authz library must be set

to required. See Appendix D, “Sample /etc/pam.conf File for Security Policy Enforcement”

(page 193) for proper configuration.

Evaluating the Netscape/Red Hat Directory Server Security Policy

The following is an example of the access rule in the /etc/opt/ldapux/pam_authz.policy

file:

status:rhds:check_rhds_policy

If the above access rule is specified in the pam_authz.policy file, the check_rhds_policy

routine in the libpolicy_rhds library is loaded and executed. PAM_AUTHZ constructs a

request message that will be used to find the current security policy configuration as well as

examine the specific user’s security policy status attributes to determine if the user complies with

the security policy. PAM_AUTHZ will search for the following information: :

• Global policy attributes under cn=config: passwordLockout, passwordUnlock,

passwordMaxFailure, passwordExp, passwordMustChange,

nsslapdpwpolicy-local.

• User specific policy attributes: accountUnlockTime, passwordExpirationTime,

pwdPolicySubEntry, passwordRetryCount, nsAccountLock.

• If fine-grained policy is turned on and the sub-tree policy for this user has been configured,,

then LDAP-UX searches for password policy attributes at the subtree and user level:

passwordLockout, passwordUnlock, passwordMaxFailure, passwordExp,

passwordMustChange.

PAM_AUTHZ performs the following major functionality by evaluating the necessary security

policy settings and returns the corresponding PAM return code to the applications/commands

which called the PAM API.

• Check to see if an account is inactivated or not.

• Check to see if an account is locked or not.

• Check to see if the password has expired or not.

PAM Return Codes

If the status:rhds:check_rhds_policy access rule is specified in the

/etc/opt/ldapux/pam_authz.policy file for Netscape/Red Hat Directory Server,

PAM_AUTHZ evaluates the necessary security policy settings and returns the possible PAM

return codes as follows:

PAM_USER_UNKNOWN The code returned if the user is not found in the Directory Server

or if there is any internal errors (such as an error returned by the

server) to find the user's policy attributes.

PAM_ACCT_EXPIRED The code returned if the user account is inactive.

PAM_ACCT_EXPIRED The code returned if the user account has been locked out.

PAM_NEW_AUTHTOK_REQD The code returned if the user's password has expired.

PAM_SUCCESS The code returned if the user account is active and not locked,

and user's password has not expired.

112 Administering LDAP-UX Client Services