LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
C Sample PAM configuration (pam.conf) files for Windows
ADS
This appendix provides information about configuring PAM configuration files and includes several
sample PAM configuration files used on an HP-UX 11i v2 (or higher) system. These /etc/pam.conf
files are intended as examples only.
The PAM configuration file /etc/pam.conf is the primary configuration file for the Pluggable
Authentication Module (PAM) architecture. The PAM module provides four types of authentication
for services, where a service is a command or application that requests authentication. The following
are the four types of authentication, also known as test types:
• User authentication (auth) — provides functionality to authenticate a user and set up user
credentials
• Account management (account) — provides functionality to determine if the current user's
account is valid; examples of this include checking for password and account expiration, as
well as verifying access hour restrictions
• Session management (session) — provides functionality to set up and terminate sessions for
which the user is logged in to the service
• Password management (password) — provides functionality to change a user's authentication
token or password
The pam.conf file contains a list of the services. Each service is associated with a corresponding
service module (auth, account, session, or password), a path for the shared library object that
implements the service module, a control flag, and one or more options. The control flag specifies
the continuation and failure semantics of a stacked service, as described subsequently. When an
application requests a service, the associated service module is invoked. Each service entry has
the following format:
service module_type control_flag module_path options
When a service of the same module type is defined more than once (each with a different module
path or library to implement the functionality), the service is said to be stacked. This enables an
application to be authenticated in multiple ways, before granting access. Each service defined in
the stack is processed in the order that it occurs. The control flag may be required, optional,
or sufficient.
Each PAM module returns a status that indicates whether it approves, disapproves, or has no
opinion about the requested operation. If a module succeeds but has no opinion on a decision,
the corresponding control flags for that module are ignored.
The PAM framework processes each service module in a stack. If all the modules in the stack
succeed, then success is returned (optional error values are ignored; sufficient error values
are ignored if it is not the last service module in the stack). If one or more required modules fail,
the PAM framework returns the error value from the first required module that failed.
If none of the service modules in the stack are designated as required, then at least one
optional or sufficient module must succeed. If all fail, then the error value from the first
service module in the stack is returned.
There is one exception: if a service module designated as sufficient succeeds, the PAM
framework immediately returns success to the application requesting the service (all subsequent
service modules in the stack, including required ones, are ignored), given that any prior required
modules had also succeeded. If a prior required module failed, then the error value from that
module is returned.
If a module is not found or cannot be opened, an error is logged and the PAM framework returns
an error to the requesting application.
149