Manualshelf

LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
421422423424425426427428429430
D.2 Sample PAM configuration file typical for integration with Windows
ADS
This section includes a sample PAM configuration file typical for integration with Windows ADS.
In the following sample pam.conf file, in the case of authentication (auth) management, each
stacked service is authenticated first by the PAM_HPSEC module, then by the PAM_KERBEROS
module, and finally by the PAM_UNIX module. Because Kerberos authentication is designated as
sufficient, if its authentication succeeds, then PAM returns success status. The PAM_UNIX
module is invoked only if the PAM_KERBEROS authentication fails. The try_first_pass option
used as an option for PAM_UNIX causes PAM to test the password that the user entered for the
preceding module of the stack (in this case, PAM_KERBEROS); if it does not match the database
or no password has been entered, the user is prompted for a password. If the use_first_pass
option had been specified instead, and the password does not match the database or has not
been entered, authentication fails. If no options are specified, each module acts independently,
each requesting passwords for its own database.
To create the /etc/pam.conf example file on an HP-UX 11i v2 (or later) system, follow these
steps:
1. Copy the /etc/pam.krb5 file to the /etc/pam.conf file.
2. For Trusted Mode only (see the sample file in Section D.4 (page 428)), edit the /etc/pam.conf
file and change the control flag for the libpam_krb5.so.1 entries to "required" in the
session management section.
For security policy enforcement, configure the PAM_AUTHZ library as shown in Section D.6
(page 432).
3. Add the try_first_pass option to the libpam_unix.so.1 entry in the password
management section; this prevents prompting " old password" twice when a local user
changes his password or logs in with an expired password.
For a list of all steps that you might need to perform to set up Kerberos support, see Section 3.4.2
(page 128).
#
#
# PAM configuration
#
# This pam.conf file is intended as an example only.
# For more details, see pam.conf(4).
#
################################################################
# This sample file will authenticate the user who belongs to #
# either Kerberos or the Unix system. Using this configuration #
# file, if the user is authenticated through Kerberos, then the#
# Unix authentication will not be invoked. However, if the #
# Kerberos authentication fails for the user, then the fallback#
# authentication mechanism PAM-Unix is invoked to authenticate #
# the user. The assumption is the user is either present #
# in Kerberos or in the Unix system. #
# #
# The module pam_hpsec is specified at the top of each #
# stack for making security checks before authentication. #
# For more information about pam_hpsec, see the pam_hpsec(5) #
# manpage. #
################################################################
#
# Authentication management
#
login auth required libpam_hpsec.so.1
login auth sufficient libpam_krb5.so.1
login auth required libpam_unix.so.1 try_first_pass
su auth required libpam_hpsec.so.1
424 Sample PAM configuration (pam.conf) files