Manualshelf

LDAP-UX Client Services B.04.10 with Microsoft Windows Active Directory Server Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
111112113114115116117118119120
Evaluating the Windows Active Directory Server Security Policy
The following is an example of the access rule in /etc/opt/ldapux/pam_authz.policy file:
status:ads:check_ads_policy
If the above access rule is specified in the pam_authz.policy file, the check_ads_policy
routine in the libpolicy_ads library is loaded and executed. PAM_AUTHZ constructs a
request message that will be used to find the current security policy configuration as well as
examine the specific users security policy status attributes to determine if the user complies with
the security policy. PAM_AUTHZ will search for the following information: :
Global policy attributes under dc=world, dc=hp, dc=com: lockoutDuration,
maxPwdAge.
User specific policy attributes: userAccountControl, userWorkstations, pwdLastSet,
accountExpires, LockoutTime and logonHours.
PAM_AUTHZ performs the following major functionality by evaluating the necessary security
policy settings and returns the corresponding PAM return code to the applications/commands
which called the PAM API.
Check to see whether an account is disabled or not.
Check the number of hours that the user is allowed to logon to the domain.
Check to see whether an account password must be changed or not.
Check to see whether the account is locked or not.
Check to see whether the password has expired or not.
PAM Return Codes
If the status:rhds:check_rhds_policy access rule is specified in the
/etc/opt/ldapux/pam_authz.policy file for Netscape/Red Hat Directory Server,
PAM_AUTHZ evaluates the necessary security policy settings and returns the possible PAM
return codes as follows:
PAM_USER_UNKNOWN The code returned if the user is not found in the Directory Server
or if there is any internal errors (such as an error returned by the
server) to find the user's policy attributes.
PAM_ACCT_EXPIRED The code returned if the user account is inactive.
PAM_ACCT_EXPIRED The code returned if the user account has been locked out.
PAM_NEW_AUTHTOK_REQD The code returned if the user's password has expired or the user's
password must be changed.
PAM_SUCCESS The code returned if the user account is active and not locked,
and user's password has not expired.
120 Administering LDAP-UX Client Services