LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

151

152

153

154

155

156

157

158

159

160

function_name This field defines the function name in the specified <library_name> that

PAM_AUTHZ uses to evaluate certain security policy settings with the

The following describes the valid entries for this field:

• check_rhds_policy: If this option is specified, PAM_AUTHZ

evaluates all the necessary account and password policies settings,

stored in the HP-UX Directory Server or Redhat Directory Server, for

the login user.

• check_ads_policy: If this option is specified, PAM_AUTHZ

evaluates all the necessary account and password policies settings,

stored in the Windows Server 2003 R2/2008 Active Directory, for the

NOTE: If the status:rhds:check_ads_policy access rule is configured in the access policy

file, you must perform the following tasks:

• Define the allow:unix_local_user access rule in the access policy file to allow the local

user to log in.

• Since the status:rhds:check_ads_policy access rule is guaranteed to match and

return a PAM return code. It is highly recommended to define the

status:rhds:check_ads_policy access rule at the end of the access policy file.

Otherwise, the access rules that are defined after the status access rule will not be evaluated.

• PAM_AUTHZ may display account and password policy attributes in the syslog file when

the debug option is enabled. You can take proper action to protect the syslog file. For

example, set the syslog file permissions, so that the file can only be accessed or viewed by

the power user.

WARNING! Enabling the debug option in pam.conf might allow hackers to gain additional

information that would enable them to crack password security. For example, they could

attempt to log in as a super user (su) and discover that a password has expired (observing

the super user's behavior, the hackers could determine when he or she is likely to log in

next).

5.3.10.1.1 An example of access rules

The following shows an example of the access rules defined in the access policy file when

configuring and using security policy enforcement for ssh key-pair or r-commands:

allow:unix_local_user

status:rhds:check_ads_policy

5.3.10.2 Setting access permissions for global policy attributes

For PAM_AUTHZ to support security policy enforcement with the HP-UX Directory Server or

Red Hat Directory server, PAM_AUTHZ needs access to the security policy configuration

attributes. These global policy attributes are all defined under cn=config. Only authorized users

can access them. If you use the PAM_AUTHZ enhancement to support the account and password

policy enforcement, you must configure LDAP-UX with a proxy user and grant this proxy user

read and search rights to search for specific attributes under cn=config. The following example

ACI gives a proxy user permission to read and search all global policy attributes:

aci: (targetattr= "objectclass ||passwordLockout ||passwordUnlock

||passwordMaxFailure ||passwordExp ||passwordMustChange

||nsslapd-pwpolicy-local")

(version 3.0; acl "Proxy global security policy attributes read and

search rights";

154 Administering LDAP-UX Client Services