LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
NOTE: If the status:rhds:check_ads_policy access rule is configured in the access policy
file, you must perform the following tasks:
• Define the allow:unix_local_user access rule in the access policy file to allow the local
user to log in.
• Since the status:rhds:check_ads_policy access rule is guaranteed to match and return
a PAM return code. It is highly recommended to define the
status:rhds:check_ads_policy access rule at the end of the access policy file.
Otherwise, the access rules that are defined after the status access rule will not be evaluated.
• PAM_AUTHZ may display account and password policy attributes in the syslog file when
the debug option is enabled. You can take proper action to protect the syslog file. For
example, set the syslog file permissions, so that the file can only be accessed or viewed by
the power user.
WARNING! Enabling the debug option in pam.conf might allow hackers to gain additional
information that would enable them to crack password security. For example, they could
attempt to log in as a super user (su) and discover that a password has expired (observing
the super user's behavior, the hackers could determine when he or she is likely to log in next).
6.4.10.1.1 An example of access rules
The following shows an example of the access rules defined in the access policy file when
configuring and using security policy enforcement for SSH key-pair or r-commands:
allow:unix_local_user
status:rhds:check_ads_policy
6.4.10.2 Configuring access permissions for global policy attributes
In order for PAM_AUTHZ to support security policy enforcement with the Windows ADS Directory
server, PAM_AUTHZ needs access to the security policy configuration attributes. The global policy
attributes are all defined under dc=world,dc=hp,dc=com. Only authorized users can access
them. If you use the PAM_Authz enhancement to support the account and password policy
enforcement, you must configure a proxy user who is able to retrieve the required attributes. For
example, you can configure the proxy user who belongs to the Domain Admins group. By doing
this, the proxy user is granted to have read and search rights to search dc=world, dc=hp,
dc=com.
6.4.10.3 Configuring PAM configuration file
If you want to use PAM_AUTHZ to support enforcement of account and password policies stored
in the ADS, you must define the pam_authz and the rcommand option library in the /etc/
pam.conf file for the sshd and rcomds services under the account management role. In addition,
the control flag for the PAM_AUTHZ library must be set to required. A sample configuration file
providing PAM_AUTHZ support for account and password policies is provided in Section C.3
(page 154) for proper configuration.
For more information about PAM and the pam.conf file, see the pam(3) and pam.conf(4)
manpages, and the Managing Systems and Workgroups: A Guide for HP-UX System Administrators
document at the following location:
http://www.hp.com/go/hpux-core-docs (click HP-UX 11i v2)
6.4.10.4 Evaluating the windows active directory server security policy
The following is an example of the access rule in the access policy file:
status:rhds:check_ads_policy
110 Administering LDAP-UX Client Services