LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

101

102

103

104

105

106

107

108

109

110

# bit) backend library. #

################################################################

root auth libpam_ldap.so.1 ignore

root account libpam_ldap.so.1 ignore

root session libpam_ldap.so.1 ignore

root password libpam_ldap.so.1 ignore

For more information, see the pam_user.conf(4) manpage. For more information about HP-UX

user authentication and PAM, see the HP-UX System Administrator's Guide: Security

Management, available at the following location:

www.hp.com/go/hpux-core-docs (click HP-UX 11i v3)

2. Configure the PAM_UPDBE library (libpam_updbe) in the /etc/pam.conf file.

NOTE: You must configure this library in order for the configuration in /etc/

pam_user.conf to take effect.

PAM_UPDBE is the user policy definition service module for PAM. It reads options defined in

the user configuration file, /etc/pam_user.conf, and uses pam_set_data to store the

information in the PAM handle for use by subsequent service modules. In /etc/pam.conf,

configure the PAM_UPDBE library for each service module defined in /etc/pam_user.conf,

using the following format for each line entered:

user module_type required libpam_updbe.so.1

where:

user Specifies the user to be ignored by PAM_LDAP authentication

module_type Specifies the service module authentication type (test category):

authentication (auth), account management (account), session

management (session), or password management (password).

required Specifies the control flag as required (mandatory, which means

the test for the module must succeed; authentication for any

modules/libraries listed after it must also be satisfied. (In contrast,

the sufficient flag indicates that if authentication is satisfied

for the flagged module, the user is authenticated successfully; no

further tests are performed.)

libpam_updbe.so.1 Specifies the pathname to the PAM_UPDBE shared library object

that implements the service functionality. If the pathname is not

absolute, it is assumed to be relative to /usr/lib/security/

$ISA/.

For more information, see the pam_updbe(5) and pam_user.conf(4) manpages.

If PAM_HPSEC has been configured in /etc/pam.conf for the service you are going to

define for PAM_UPDBE, configure the PAM_UPDBE library in the line immediately following

the line that configures the service's PAM_HPSEC library. If PAM_HPSEC is not configured for

the given service, configure the PAM_UPDBE library as the first service module in /etc/

pam.conf. In either case, set the control flag for the PAM_UPDBE library as required.

PAM_UPDBE provides interfaces for all four PAM service module types (authentication

management, account management, session management, and password management). Each

service module reads the options defined for its type.

The following example is a portion of a /etc/pam.conf file that defines the PAM_UPDBE

library for the user login process. Because the PAM_HPSEC library is configured for each

service module, the PAM_UPDBE library configuration line is added immediately following

the corresponding service's PAM_HPSEC library configuration line.

# Authentication management

2.5 Postinstallation configuration tasks 109