LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
You can allow access to the Group Policy Object attributes in Windows ADS using the Active
Directory Users and Computers control panel. For more information, refer to your Microsoft Windows
documentation or the help topics provided by the Active Directory Users and Computers control
panel.
Advanced administrators with intimate knowledge of Windows ADS and security policy can also
view and modify the attributes by using ADSI Edit.
7.4.10.3 Configuring the PAM configuration file
If you want to use PAM_AUTHZ to support enforcement of account and password policies stored
in your directory server, you must define the PAM_AUTHZ library and the rcommand option in
the /etc/pam.conf file for the sshd and rcomds services in the account management section
of the file. In addition, the control flag for the PAM_AUTHZ library must be set to required. For
an example of a proper configuration, see Section D.5 (page 430). For more information about
pam.conf configuration, see the introduction to “Sample PAM configuration (pam.conf) files ”
(page 420).
7.4.10.4 Evaluating the directory server security policy
The following is an example of the access rule in the access policy file for an HP-UX Directory
Server:
status:rhds:check_rhds_policy
The following is an access rule for Windows ADS:
status:ads:check_ads_policy
If the former access rule is specified in the access policy file, the check_rhds_policy routine
in the libpolicy_rhds library is loaded and executed. If the latter access rule is specified, the
check_ads_policy routine in the libpolicy_ads library is loaded and executed. PAM_AUTHZ
constructs a request message that will be used to find the current security policy configuration and
to examine the specific user’s security policy status attributes to determine if the user complies with
the security policy. For an HP directory server, PAM_AUTHZ searches for the following information:
• In the HP directory server Global policy attributes under cn=config: passwordLockout,
passwordUnlock, passwordMaxFailure, passwordExp, passwordMustChange,
nsslapdpwpolicy-local.
• User specific policy attributes: accountUnlockTime, passwordExpirationTime,
pwdPolicySubEntry, passwordRetryCount, nsAccountLock.
• If fine-grained policy is turned on and the sub-tree policy for this user has been configured,
then LDAP-UX searches for password policy attributes at the subtree and user level:
passwordLockout, passwordUnlock, passwordMaxFailure, passwordExp,
passwordMustChange.
For Windows ADS, PAM_AUTHZ searches for and needs access to (through the proxy user):
• Global policy object attributes for the domain: lockoutDuration, maxPwdAge.
• User specific policy attributes: userAccountControl, userWorkstations, pwdLastSet,
accountExpires, LockoutTime and logonHours.
For an HP directory server, PAM_AUTHZ performs the following by evaluating the necessary security
policy settings and returns the corresponding PAM return code to the applications or commands
that called the PAM API:
• Determines whether an account is activated
• Determines whether an account is locked
• Determines whether the password has expired
7.4 Configuring PAM_AUTHZ login authorization 213