LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

151

152

153

154

155

156

157

158

159

160

allow (read,search)

(userdn = "ldap:///uid=proxyuser,ou=Special Users,o=hp.com");)

For more information about a list of security policy attributes supported by LDAP-UX, see

Section 5.3.10.6 (page 156).

5.3.10.3 Configuring the PAM configuration file

If you want to use PAM_AUTHZ to support enforcement of account and password policies

stored in your directory server, you must define the PAM_AUTHZ library and the rcommand

option in the /etc/pam.conf file for the sshd and rcomds services under the account

management section. In addition, the control flag for the PAM_AUTHZ library must be set to

required. See “Sample /etc/pam.conf file for security policy enforcement” (page 357) for proper

configuration.

5.3.10.4 Evaluating the directory server security policy

The following is an example of the access rule in the access policy file:

status:rhds:check_rhds_policy

If the above access rule is specified in the access policy file, the check_rhds_policy routine

in the libpolicy_rhds library is loaded and executed. PAM_AUTHZ constructs a request

message that will be used to find the current security policy configuration as well as examine

the specific user’s security policy status attributes to determine if the user complies with the

security policy. PAM_AUTHZ will search for the following information:

• Global policy attributes under cn=config: passwordLockout, passwordUnlock,

passwordMaxFailure, passwordExp, passwordMustChange,

nsslapdpwpolicy-local.

• User specific policy attributes: accountUnlockTime, passwordExpirationTime,

pwdPolicySubEntry, passwordRetryCount, nsAccountLock.

• If fine-grained policy is turned on and the sub-tree policy for this user has been configured,,

then LDAP-UX searches for password policy attributes at the subtree and user level:

passwordLockout, passwordUnlock, passwordMaxFailure, passwordExp,

passwordMustChange.

PAM_AUTHZ performs the following major functionality by evaluating the necessary security

policy settings and returns the corresponding PAM return code to the applications/commands

which called the PAM API.

• Check whether an account is inactivated or not.

• Check whether an account is locked or not.

• Check whether the password has expired or not.

5.3.10.5 PAM return codes

If the status:rhds:check_rhds_policy access rule is specified in the access policy file for

HP-UX Directory Server or Redhat Directory Server, PAM_AUTHZ evaluates the necessary

security policy settings and returns the possible PAM return codes as follows:

PAM_USER_UNKNOWN The code returned if the user is not found in the Directory Server

or if there is any internal errors (such as an error returned by the

server) to find the user's policy attributes.

PAM_ACCT_EXPIRED The code returned if the user account is inactive.

PAM_ACCT_EXPIRED The code returned if the user account has been locked out.

PAM_NEW_AUTHTOK_REQD The code returned if the user's password has expired.

PAM_SUCCESS The code returned if the user account is active and not locked,

and user's password has not expired.

5.3 PAM_AUTHZ login authorization 155