LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

111

112

113

114

115

116

117

118

119

120

If the above access rule is specified in the access policy file, the check_ads_policy routine in

the libpolicy_ads library is loaded and executed. PAM_AUTHZ constructs a request message

that will be used to find the current security policy configuration as well as examine the specific

user’s security policy status attributes to determine if the user complies with the security policy.

PAM_AUTHZ will search for the following information:

• Global policy attributes under dc=world, dc=hp, dc=com: lockoutDuration,

maxPwdAge.

• User specific policy attributes: userAccountControl, userWorkstations, pwdLastSet,

accountExpires, LockoutTime and logonHours.

PAM_AUTHZ performs the following major functionality by evaluating the necessary security policy

settings and returns the corresponding PAM return code to the applications/commands which

called the PAM API.

• Check to see whether an account is disabled or not.

• Check the hours (time of day) during which the user is allowed to log on to the domain.

• Check to see whether an account password must be changed or not.

• Check to see whether the account is locked or not.

• Check to see whether the password has expired or not.

6.4.10.5 PAM return codes

If the status:rhds:check_ads_policy access rule is specified in the access policy file for

ADS, PAM_AUTHZ evaluates the necessary security policy settings and returns the possible PAM

return codes as follows:

PAM_USER_UNKNOWN The code returned if the user is not found in the Directory Server

or if there is any internal errors (such as an error returned by the

server) to find the user's policy attributes.

PAM_ACCT_EXPIRED The code returned if the user account is inactive.

PAM_ACCT_EXPIRED The code returned if the user account has been locked out.

PAM_NEW_AUTHTOK_REQD The code returned if the user's password has expired or the user's

password must be changed.

PAM_SUCCESS The code returned if the user account is active and not locked,

and user's password has not expired.

6.4.10.6 Directory Server security policies

Global Security Attributes

In the Windows Active Directory Server, there are a number of attributes about the security policies.

In order to support account and password security policy enforcement, PAM_AUTHZ is enhanced

to support the global administrative security attributes listed in Table 9.

They are used to define the policy rules and are all defined under dc=world,dc=hp,dc=com.

Only authorized users can access them. If you use the PAM_Authz enhancement to support the

account and password policy enforcement, you must configure LDAP-UX with a proxy user and

grant this proxy user read and search rights to search dc=world, dc=hp, dc=com.

6.4 PAM_AUTHZ login authorization 111