LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
NOTE: If the status:rhds:check_ads_policy access rule is configured in the access policy
file, you must perform the following tasks:
• Define the allow:unix_local_user access rule in the access policy file to allow the local
user to log in.
• Since the status:rhds:check_ads_policy access rule is guaranteed to match and return
a PAM return code, HP recommends that you define the status:rhds:check_ads_policy
access rule at the end of the access policy file. Otherwise, the access rules that are defined
after the status access rule are not evaluated.
• PAM_AUTHZ might display account and password policy attributes in the syslog file when
the debug option is enabled. You can take proper action to protect the syslog file. For
example, set the syslog file permissions so that the file can be accessed or viewed by the
power user only.
WARNING! Enabling the debug option in pam.conf might enable hackers to gain additional
information that would enable them to crack password security. For example, they could
attempt to log in as a super user (su) and discover that a password has expired (observing
the super user's behavior, the hackers could determine when that user is likely to log in next).
7.4.10.1.1 Example of access rules
The following shows an example of the access rules defined in the access policy file when
configuring and using security policy enforcement for ssh key pair or r-commands:
allow:unix_local_user
status:rhds:check_ads_policy
7.4.10.2 Configuring access permissions for global policy attributes
For PAM_AUTHZ to support security policy enforcement with the directory server, PAM_AUTHZ
needs access to the security policy configuration attributes. In an HP directory server environment,
these global policy attributes are all defined under cn=config. In a Windows ADS environment,
they are defined in the Group Policy Object as part of the default domain policy in a Windows
ADS environment. Because cn=config and the Group Policy Object are part of the security
framework of the HP-UX Directory Server and Windows ADS products, respectively, access to them
is restricted to privileged users. If you plan to use the PAM_AUTHZ enhancement to provide account
and password policy enforcement, you must configure LDAP-UX with a proxy user. For HP-UX
Directory Server, grant this proxy user sufficient read and search privileges to retrieve the required
attributes in cn=config. These attributes are listed in Table 19 and Table 21. For Windows ADS,
grant this proxy user sufficient read and search privileges to retrieve the required attributes in the
base DN for the Windows domain. These attributes are listed in Table 20 (page 215) and Table 22
(page 216).
The following example ACI for an HP-UX Directory Server environment gives a proxy user permission
to read and search all global policy attributes in cn=config:
aci: (targetattr= "objectclass ||passwordLockout ||passwordUnlock
||passwordMaxFailure ||passwordExp ||passwordMustChange
||nsslapd-pwpolicy-local")
(version 3.0; acl "Proxy global security policy attributes read and
search rights";
allow (read,search)
(userdn = "ldap:///uid=proxyuser,ou=Special Users,o=hp.com");)
Just as this example for an HP-UX Directory Server allows the proxy user access to the global policy
attribute, Windows environments must grant access to similar attributes defined in Table 20
(page 215) and Table 22 (page 216). For more information about a list of security policy attributes
supported by LDAP-UX, see Section 7.4.10.6 (page 214).
212 Administering LDAP-UX Client Services