Manualshelf

LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
101102103104105106107108109110
given the opportunity to provide security policy enforcement, which normally occurs during the
LDAP authentication process.
To configure and use this feature for SSH key-pair or r-commands, you must perform the following
tasks:
Set security policy enforcement access rule in the access policy file. See Section 6.4.10.1
(page 109) for details.
Set access permissions for global policy attributes. See Section 6.4.10.2 (page 110) for details.
Configure the PAM_AUTHZ library in the /etc/pam.conf file for the sshd and rcomds
services under the account management role. See Section 6.4.10.3 (page 110) for details.
6.4.10.1 Security policy enforcement access rule
Specifying status in the <action> field of a pam_authz.policy access rule triggers use of the
account and password security policy enforcement rule. When this rule is evaluated, PAM_AUTHZ
will call the <function_name> in the library specified by the <library_name> field.
PAM_AUTHZ returns the value which is one of the PAM return codes described in Section 6.4.10.5
(page 111) s below.
This access rule consists of the following three fields:
<action>:<library_name>:<function_name>
Fields in the Access Rule:
The following describes each field of the above access rule:
action When the status option is specified, PAM_AUTHZ returns whatever
<function_name> in the <library_name> returns, which is one of the PAM
return codes.
library_name This field specifies the name of the library to be loaded that supports the
account and password policies for a particular directory server.
The following describes the valid values for this field:
ads: If this option specified, PAM_AUHZ loads
/opt/ldapux/lib/libpolicy_ads library to process security policy
configuration and examine the user's security policy status attributes,
stored in the Windows 2003 R2 or 2008 Active Directory Server.
function_name This field defines the function name in the specified <library_name> that
PAM_AUTHZ uses to evaluate certain security policy settings with the login
user.
The following describes the valid entries for this field:
check_ads_policy: If this option is specified, PAM_AUTHZ evaluates
all the necessary account and password policies settings, stored in
theWindows 2003 R2 or 2008 Active Directory, for the login user.
6.4 PAM_AUTHZ login authorization 109