Manualshelf

LDAP-UX Client Services B.04.10 with Microsoft Windows Active Directory Server Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
191192193194195196197198199200
F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted
Mode
This Appendix provides a sample PAM configuration file, /etc/pam.conf, used on the HP-UX
11i v1 system to support the coexistence of LDAP-UX and Trusted Mode. If your directory server
is the Microsoft Windows 2000 Active Directory Server and your LDAP client is in the Trusted
Mode, the /etc/pam.conf file must be configured as shown in the following example file.
Use the following steps to create the /etc/pam.conf example file on the HP-UX 11i v1 system:
1. copy the /etc/pam.krb5 file to the /etc/pam.conf file.
2. Edit the /etc/pam.conf file and change the control flag for the
/usr/lib/security/libpam_krb5.1 entries to "required" under the Account
management and Session management sessions.
3. Add the try_first_pass option to the /usr/lib/security/libpam_unix.1 entry
under the Password management to avoid prompting " old password" twice when a
local user changes his password or when a local user logs in with an expired password.
## PAM configuration
#
# This pam.conf file is intended as an example only.
# see pam.conf(4) for more details
#
################################################################
# This sample file will authenticate the user who belongs to #
# either Kerberos or Unix system. Using this configuration file#
# if the user is authenticated through Kerberos then the Unix #
# authentication will not be invoked. However,if the Kerberos #
# authentication fails for the user, then the fallback #
# authentication mechanism PAM-Unix will be invoked to #
# authenticate the user.The assumption is the user is either #
# present in Kerberos or in Unix system. #
# #
# In case, the administrator wants the password for all the #
# users to be synchronous between Kerberos and Unix systems, #
# then the control flag should be set to "required" for all #
# the entries with user_first_pass option set for pam_unix. #
# If password synchronization is optional then try_first_pass #
# option need to be set for pam_unix, so that the user can #
# login using the appropriate passwords. #
################################################################
# Authentication management
#
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
su auth sufficient /usr/lib/security/libpam_krb5.1
su auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/libpam_krb5.1
dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction auth sufficient /usr/lib/security/libpam_krb5.1
dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass
ftp auth sufficient /usr/lib/security/libpam_krb5.1
ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER auth required /usr/lib/security/libpam_unix.1
#
# Account management
#
login account sufficient /usr/lib/security/libpam_krb5.1
login account required /usr/lib/security/libpam_unix.1
su account sufficient /usr/lib/security/libpam_krb5.1
su account required /usr/lib/security/libpam_unix.1
dtlogin account sufficient /usr/lib/security/libpam_krb5.1
199