LDAP-UX Client Services B.05.00 Administrator's Guide

5.3.3 PAM_AUTHZ supports security policy enforcement
PAM_AUTHZ supports enforcement of account and password policies, stored in an LDAP
directory server. This feature works with secure shell (ssh), r-commands with rhost enabled
where authentication is not performed by PAM (Pluggable Authentication Module) subsystem,
but is performed by the command itself.
For more information on how to configure access rules in the access policy configuration file, set
global policy access permissions, and configure the pam.conf file for security policy enforcement
when using SSH key-pairs or r-commands, see Section 5.3.10 (page 153).
5.3.3.1 Authentication using LDAP
The PAM framework is pluggable, the backend support for PAM's Authentication, Account
Management, Session Management and Password Management services can be directed
to an LDAP directory server. The LDAP-UX Client Services are plugged into the PAM framework
by specifying the PAM_LDAP library, libpam_ldap, in the /etc/pam.conf configuration
file. When the PAM_LDAP functions are invoked, the UNIX identity is translated into the
distinguished name of an entry in the directory server that represents that user. To perform
authentication, PAM_LDAP attempts to bind to the directory server as that identity. If the LDAP
bind operation succeeds, then PAM_LDAP will return success to the PAM authentication
subsystem.
When PAM_LDAP performs the LDAP bind operation, the LDAP server performs authentication
of the user as well as determines if the LDAP account and password policy has passed. If the
account is locked, the LDAP bind will fail. If the user's password has expired, the LDAP bind
operation will return an error. An LDAP bind operation performs both authentication and
account management operations.
5.3.3.2 Authentication with secure shell (ssh) and r-commands
For LDAP-UX B.04.00 or earlier versions, a user defined in an LDAP directory who tries to log
on to a UNIX system using ssh key-pairs or the rhost enabled r-command will always be able to
log in even if this users account has been locked or password has expired. These applications
and commands do not need to call the PAM (Pluggable Authentication Module) authentication
functions, but perform their own authentication instead. When this occurs, the LDAP bind
operation is never performed. Thus, the LDAP directory server is never given the opportunity
to perform security policy enforcement.
LDAP-UX Client Services B.04.10 or later provides PAM_AUTHZ features to support enforcement
of account and password policies, stored in an LDAP directory server, for applications/commands
(such as ssh or r-command) where authentication is not performed by the PAM subsystem, but
is performed by the command itself.
142 Administering LDAP-UX Client Services