LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

101

102

103

104

105

106

107

108

109

110

server administrator could create a user named “root” and then log in to the local system based

on the password associated with user “root” on the directory server.

To disable system access for local user accounts that are also defined in the LDAP directory server,

configure the deny_local option in the PAM configuration file /etc/pam.conf, entering a line

for each service, in the following format:

service module_type required libpam_ldap.so.1 deny_local

where:

service Specifies the service used for accessing the system

module_type Specifies the service module authentication type (test category):

authentication (auth), account management (account), session

management (session), or password management (password). Typically,

the deny_local option is specified for both authentication and account

management, and for all PAM-enabled services.

required Specifies the control flag as required (mandatory), which means the test

for the module must succeed; authentication for any modules/libraries

listed after it must also be satisfied. (In contrast, the sufficient flag

indicates that if authentication is satisfied for the flagged module, the

user is authenticated successfully; no further tests are performed.)

libpam_ldap.so.1 Specifies the pathname to the PAM_LDAP library object that implements

the service functionality. If the pathname is not absolute, it is assumed

to be relative to /usr/lib/security/$ISA/.

deny_local Specifies the deny_local option

The following example shows the portion of the /etc/pam.conf file that configures the

authentication and account services. As a result, for any attempt to use these services to log in or

establish a session on the HP-UX client system, if PAM_LDAP detects an equivalent account name

or UID in the /etc/passwd file, it returns PAM_IGNORE (PAM_LDAP does not authenticate the

user). If an equivalent account name or UID is not found in the /etc/passwd file, PAM_LDAP

returns the appropriate authentication status (which could be, for example, notification that the

credential is invalid, the password needs to be updated, or that the authentication succeeded; the

status reported depends on the circumstances when the user tries to authenticate).

For more information about PAM, see the pam(3) and pam.conf(4) manpages, and the Managing

Systems and Workgroups: A Guide for HP-UX System Administrators document at the following

location:

http://www.hp.com/go/hpux-core-docs (click HP-UX 11i v2)

# PAM configuration

# This pam.conf file is intended as an example only.

# Please note that this configuration file has only been modified for the

# default services. Other services can be added or modified as

# needed or desired. If a service is not listed, it will use the

# OTHER classification

# the format for a entry is

# <service> <module_type> <control> <module path> <options>

#Notes:

# If the path to a library is not absolute, it is assumed to be relative

# to the directory /usr/lib/security/$ISA/

# The "$ISA" (i.e Instruction Set Architecture) token is replaced by the

106 Installing and configuring LDAP-UX Client Services for an HP server environment