Manualshelf

LDAP-UX Client Services B.04.15 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
919293949596979899100
5.3.3 PAM_AUTHZ Supports Security Policy Enforcement
PAM_AUTHZ supports enforcement of account and password policies, stored in an LDAP
directory server. This feature works with SSH (Secure Shell), r-commands with rhost enabled
where authentication is not performed via PAM (Pluggable Authentication Module) subsystem,
but is performed by the command itself.
See the “Security Policy Enforcement with Secure Shell (SSH) or r-commands” (page 105) section
for detailed information on how to configure access rules in the /etc/opt/ldapux/
pam_authz.policy file, set global policy access permissions and configure the pam.conf file
for security policy enforcement when using SSH key-pairs or r-commands.
5.3.3.1 Authentication using LDAP
The PAM framework is pluggable, the backend support for PAM's Authentiaction, Account
Management, Session Management and Password Management services can be directed
to an LDAP directory server. The LDAP-UX Client Services are plugged into the PAM framework
by specifying the pam_ldap library, libpam_ldap, in the /etc/pam.conf configuration file.
When the pam_ldap functions are invoked, the UNIX identity is translated into the distinguished
name of an entry in the directory server that represents that user. To perform authentication,
pam_ldap attempts to bind to the directory server as that identity. If the ldap_bind operation
succeeds, then pam_ldap will return success to the PAM authentication subsystem.
When pam_ldap performs the ldap_bind operation, the LDAP server performs authentication
of the user as well as determines if the LDAP account and password policy has passed. If the
account is locked, the ldap_bind will fail. If the user's password has expired, the ldap_bind
operation will return an error. An ldap_bind operation performs both authentication and
account management operations.
5.3.3.2 Authentication with Secure Shell (SSH) and r-commands
For LDAP-UX B.04.00 or earlier versions, a user defined in an LDAP directory who tries to log
on to a UNIX system using SSH key-pairs or the rhost enabled r-command will always be able
to login even if this users account has been locked or password has expired. These applications
and commands do not need to call the PAM (Pluggable Authentication Module) authentication
functions, but perform their own authentication instead. When this occurs, the ldap_bind operation
is never performed. Thus, the LDAP directory server is never given the opportunity to perform
security policy enforcement.
LDAP-UX Client Services B.04.10 provides PAM_AUTHZ features to support enforcement of
account and password policies, stored in an LDAP directory server, for applications/commands
(such as SSH or r-command) where authentication is not performed via PAM subsystem, but is
performed by the command itself.
96 Administering LDAP-UX Client Services