LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

211

212

213

214

215

216

217

218

219

220

For Windows ADS, PAM_AUTHZ performs the following:

• Determines whether an account is activated

• Determines the hours (time of day) during which the user is allowed to log on to the domain

• Determines whether an account password must be changed

• Determines whether an account is locked

• Determines whether the password has expired

7.4.10.5 PAM return codes

If the status:rhds:check_rhds_policy access rule is specified in the access policy file for

HP-UX Directory Server or Red Hat Directory Server, or the status:rhds:check_ads_policy

access rule is specified in the access policy file for Windows ADS,PAM_AUTHZ evaluates the

necessary security policy settings and returns the possible PAM return codes as follows:

PAM_USER_UNKNOWN Returned if the user is not found in the directory server, or if any

internal errors (such as an error returned by the server) upon

attempting to find the user's policy attributes

PAM_ACCT_EXPIRED Returned if the user account is inactive or has been locked out

PAM_NEW_AUTHTOK_REQD Returned if the user's password has expired

PAM_SUCCESS Returned if the user account is active and not locked, and the

user's password has not expired

7.4.10.6 Directory server security policies

Global security attributes

In a directory server, numerous attributes can be used to define security policies.

For an HP directory server, to support account and password security policy enforcement,

PAM_AUTHZ is enhanced to support the global administrative security attributes listed in Table 19.

These attributes are used to define the policy rules and are all defined under cn=config. Only

authorized users can access them. If you use the PAM_AUTHZ enhancement to support the account

and password policy enforcement, you must configure LDAP-UX with a proxy user and grant this

proxy user read and search rights to search cn=config.

Table 19 Global security attributes supported for an HP directory server

DescriptionAttribute

This boolean attribute indicates whether users will be locked out of the directory

after a given number of failed bind attempts. By default, users are not locked out

of the directory after a series of failed bind attempts.

passwordLockout

This boolean attribute indicates whether users will be locked out of the directory

for a specified amount of time or until the password is reset after an account

lockout. If the passwordUnlock attribute is disabled and the

accountUnlockTime attribute has a value of 0, then the account will be locked

indefinitely.

passwordUnlock

This integer attribute indicates the maximum number of password failures after

which a user will be locked out of the directory. By default, account lockout is

disabled.

passwordMaxFailure

This boolean attribute indicates whether user passwords will expire after a given

number of seconds. By default, user passwords do not expire. If this attribute is

enabled, you can use the passwordMaxAge variable to set the number of seconds

after which the password will expire.

passwordExp

214 Administering LDAP-UX Client Services