LDAP-UX Client Services B.04.10 with Microsoft Windows Active Directory Server Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

111

112

113

114

115

116

117

118

119

120

function_name This field defines the function name in the specified <library_name> that

PAM_AUTHZ uses to evaluate certain security policy settings with the

The following describes the valid entries for this field:

• check_rhds_policy: If this option is specified, PAM_AUTHZ

evaluates all the necessary account and password policies settings,

stored in the Netscape/Red Hat Directory Server, for the login user.

• check_ads_policy: If this option is specified, PAM_AUTHZ

evaluates all the necessary account and password policies settings,

stored in theWindows 2000, 2003 or 2003 R2 Active Directory, for the

NOTE: If the status:ads:check_ads_policy access rule is configured in the

/etc/opt/ldapux/pam_authz.policy file, you must perform the following tasks:

• Define the allow:unix_local_user access rule in pam_authz.policy to allow the

local user to login.

• Since the status:ads:check_ads_policy access rule is guaranteed to match and return

a PAM return code. It is highly recommended to define the

status:ads:check_ads_policy access rule at the end of the pam_authz.policy file.

Otherwise, the access rules that are defined after the status access rule will not be evaluated.

• PAM_AUTHZ may display account and password policy attributes in the syslog file when

the debug option is enabled. You can take proper action to protect the syslog file. For example,

set the syslog file permissions, so that the file can only be accessed or viewed by the power

user.

An example of Access Rules

The following shows an example of the access rules defined in the

/etc/opt/ldapux/pam_authz.policy file when configuring and using security policy

enforcement for SSH key-pair or r-commands:

allow:unix_local_user

status:ads:check_ads_policy

Configuring Access Permissions for Global Policy Attributes

In order for PAM_AUTHZ to support security policy enforcement with the Windows ADS

Directory server, PAM_AUTHZ needs access to the security policy configuration attributes. The

global policy attributes are all defined under dc=world,dc=hp,dc=com. Only authorized users

can access them. If you use the PAM_Authz enhancement to support the account and password

policy enforcement, you must configure a proxy user who is able to retrieve the required attributes.

For example, you can configure the proxy user who belongs to the Domain Admins group. By

doing this, the proxy user is granted to have read and search rights to search dc=world, dc=hp,

dc=com.

Configuring PAM Configuration File

If you want to use PAM_AUTHZ to support enforcement of account and password policies,

stored in the Netscape/Red Hat Directory Server, you must define the pam_authz library in the

/etc/pam.conf file for the sshd and rcomds services under the account management role.

In addition, the control flag for the pam_authz library must be set to required. See Appendix

H, “Sample PAM Configuration File for Security Policy Enforcement” (page 203) for proper

configuration.

PAM_AUTHZ Login Authorization 119