Manualshelf

LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
101102103104105106107108109110
OTHER auth required libpam_hpsec.so.1
OTHER auth sufficient libpam_unix.so.1
OTHER auth required libpam_ldap.so.1 try_first_pass deny_local
#
# Account management
#
login account required libpam_hpsec.so.1
login account sufficient libpam_unix.so.1
login account required libpam_ldap.so.1 deny_local
su account required libpam_hpsec.so.1
su account sufficient libpam_unix.so.1
su account required libpam_ldap.so.1 deny_local
dtlogin account required libpam_hpsec.so.1
dtlogin account sufficient libpam_unix.so.1
dtlogin account required libpam_ldap.so.1 deny_local
dtaction account required libpam_hpsec.so.1
dtaction account sufficient libpam_unix.so.1
dtaction account required libpam_ldap.so.1 deny_local
ftp account required libpam_hpsec.so.1
ftp account sufficient libpam_unix.so.1
ftp account required libpam_ldap.so.1 deny_local
rcomds account required libpam_hpsec.so.1
rcomds account sufficient libpam_unix.so.1
rcomds account required libpam_ldap.so.1 deny_local
sshd account required libpam_hpsec.so.1
sshd account sufficient libpam_unix.so.1
sshd account required libpam_ldap.so.1 deny_local
OTHER account required libpam_hpsec.so.1
OTHER account sufficient libpam_unix.so.1
OTHER account required libpam_ldap.so.1 deny_local
#
.
.
.
2.5.6.3 Configuring PAM_LDAP authentication to ignore specific users
When PAM_LDAP is configured to be the first service module in the /etc/pam.conf file (a
typical configuration in the Trusted Mode Environment), then if you lose access to your directory
server, you might have difficulty accessing the system again unless you are included in a set of
so-called “recovery users” configured in the /etc/pam_user.conf file. LDAP-UX 5.0 (and
later) supports the ignore option for PAM_LDAP, which you can configure in pam_user.conf
for specific users (such as root). This feature enables the specified users to be ignored for
authentication by PAM_LDAP (PAM returns PAM_IGNORE). LDAP-UX supports this feature
in both Standard Mode and Trusted Mode.
The /etc/pam_user.conf file is an optional user configuration file for PAM. It is used only
when a user-based configuration is needed. It mainly specifies options used by service modules
for specific users. The options defined in /etc/pam.conf specify the default for users who are
not configured in /etc/pam_user.conf or for users without a module type configured for
them. The /etc/pam.conf file is required for PAM to work properly.
To configure the ignore option, perform the following steps:
1. For each user that you want bypassed by PAM authentication, enter a line in the /etc/
pam_user.conf file, using the following format:
user module_type libpam_ldap.so.1 ignore
where:
user Specifies the user to be ignored by PAM_LDAP authentication
2.5 Post-installation configuration tasks 109