LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

101

102

103

104

105

106

107

108

109

110

2.5.6.3 Configuring PAM_LDAP authentication to ignore specific users

Supported for HP directory server environments only.

When PAM_LDAP is configured to be the first service module in the /etc/pam.conf file (a typical

configuration in the Trusted Mode Environment), then if you lose access to your directory server,

you might have difficulty accessing the system again unless you are included in a set of so-called

“recovery users” configured in the /etc/pam_user.conf file. LDAP-UX 5.0 (and later) supports

the ignore option for PAM_LDAP, which you can configure in pam_user.conf for specific users

(such as root). This feature enables the specified users to be ignored for authentication by PAM_LDAP

(PAM returns PAM_IGNORE). LDAP-UX supports this feature in both Standard Mode and Trusted

Mode.

The /etc/pam_user.conf file is an optional user configuration file for PAM. It is used only

when a user-based configuration is needed. It mainly specifies options used by service modules

for specific users. The options defined in /etc/pam.conf specify the default for users who are

not configured in /etc/pam_user.conf or for users without a module type configured for them.

The /etc/pam.conf file is required for PAM to work properly.

To configure the ignore option, perform the following steps:

1. For each user that you want bypassed by PAM authentication, enter a line in the /etc/

pam_user.conf file, using the following format:

user module_type libpam_ldap.so.1 ignore

where:

user Specifies the user to be ignored by PAM_LDAP authentication

module_type Specifies the service module authentication type (test category):

authentication (auth), account management (account), session

management (session), or password management (password).

libpam_ldap.so.1 Specifies the pathname to the PAM_LDAP library object that

implements the service functionality. If the pathname is not absolute,

it is assumed to be relative to /usr/lib/security/$ISA/.

ignore Specifies the ignore option.

The following is an example of a pam_user.conf file, showing the ignore option specified

for user root under authentication management, account management, session management,

and password management. As a result, when user root attempts to log in to the directory

server, the PAM_LDAP module does not authenticate the user root; it just returns PAM_IGNORE.

################################################################

# /etc/pam_user.conf #

# Sample configuration for using the ignore option for PAM_LDAP#

# for user root. #

# The format for a entry is #

# <user> <module type> <module path> <options> #

# #

# See pam_user.conf(4) for more details. #

# #

# NOTE: If the path to a library is not absolute, it is assumed#

# to be relative to the directory /usr/lib/security/$ISA. #

# The "$ISA (i.e Instruction Set Architecture) token is #

# replaced by the PAM engine (libpam) with "hpux64" for IA #

# 64-bit modules, or with "hpux32" for IA 32-bit modules, or #

# with "pa20_64" for PA 64-bit modules, or with NULL for PA #

# 32-bit modules. #

# For PA applications, library name ending with "so.1" is a #

# symbolic link that points to the corresponding PA (32 or 64 #

108 Installing and configuring LDAP-UX Client Services for an HP server environment