Manualshelf

LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
421422423424425426427428429430
IMPORTANT: Before modifying your pam.conf file, keep a backup of the original pam.conf
file that includes the simplified authentication model. In this way, you can resort to the backup if
your modified file causes problems. For example, you might inadvertently enter an invalid library
name or erase a library name, causing login to be impossible for everyone. If no one is logged
in with root permissions, the file errors cannot be fixed. If you have a backup file, you can recover
by rebooting the OS into single-user mode and then using the backup of the original pam.conf
file.
When you make new changes to the pam.conf, test login from some other console or window.
If you can log in as root and as a test user, you can assume your changes are valid. If you cannot
log in as such, try to repair the problem or use the pam.conf backup copy.
IMPORTANT: For HP server environments, HP recommends the PAM_UNIX library be listed before
the PAM_LDAP library, unless the latter is marked as sufficient. In this way, even if PAM_LDAP
authentication fails, the PAM_UNIX module will be authenticated, enabling the user with access
privileges for the local system to log in. This enables the privileged user to access the system to fix
problems and reboot the system, if necessary.
For Windows ADS environments, HP recommends that the PAM_KERBEROS module be listed before
the PAM_UNIX library and be marked as sufficient so that if PAM_KERBEROS authentication fails,
the PAM_UNIX module is next and the user with access privileges for the local system can still log
in. This enables the privileged user to access the system to fix problems and reboot the system, if
necessary.
However, in either environment, if the PAM_LDAP or PAM_KERBEROS library (or any other libraries
before PAM_UNIX) is inadvertently removed from the location specified by its module_path, and
the pam.conf file is not revised accordingly, then PAM returns an error and that privileged user
is unable to access the local system. Make sure this does not happen.
Never remove a product that is defined as a service module object library in a pam.conf file until
you have first removed use of that library from the file.
These sample files reflect the recommendation to keep the root user (or someone with access
privileges for the local system) in the local /etc/passwd on each client machine, enabling local
account management of the root user. This is an important step toward guaranteeing local access
to the system in case the network is down.
For more information about PAM and the pam.conf file, see the pam(3) and pam.conf(4)
manpages, and the Managing Systems and Workgroups: A Guide for HP-UX System Administrators
document at the following location:
http://www.hp.com/go/hpux-core-docs (click HP-UX 11i v2)
NOTE: In the following sample pam.conf files, significant configuration changes are highlighted
in bold print.
D.1 Sample of a typical pam.conf file for an HP server environment
This section includes the /etc/pam.ldap file, which is a typical PAM configuration file that can
be copied to pam.conf. This configuration file complies with the HP recommendation that HP-UX
file-based authentication be performed first, followed by LDAP or other authentication. With this
configuration, PAM uses traditional authentication first, searching /etc/passwd when any user
logs in, and then attempts to authenticate to the directory if the user is not in /etc/passwd. If
you have a few users in /etc/passwd, in particular the root user, and if the directory is
unavailable, you can still log in to the client as a user in /etc/passwd.
In specific, in authentication (auth), each stacked service is authenticated first by the PAM_HPSEC
module, then by the PAM_UNIX module, and finally by the PAM_LDAP module. Because PAM_UNIX
authentication is designated as sufficient, if its authentication succeeds, then PAM returns
success status. The PAM_LDAP module is invoked only if the PAM_UNIX authentication fails. The
try_first_pass option used as an option for PAM_LDAP causes PAM to test the password that
the user entered for the preceding module of the stack (in this case, PAM_UNIX); if it does not
match the database or no password has been entered, the user is prompted for a password. If the
D.1 Sample of a typical pam.conf file for an HP server environment 421