Manualshelf

LDAP-UX Integration B.04.20 Release Notes (April 2010 Update)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
31323334353637383940
Known Problem
Security Policy Enforcement
Workaround
Some of the password and account policy limitations discussed above are resolved by using the
libpam_authz library to authorize PAM-based services. The libpam_authz library is used
to supplement authorization analysis and does not replace libpam_ldap or any other PAM
library. libpam_authz is configured in the account management section of the /etc/pam.conf
file. For example:
#
# Account management
#
login account required libpam_hpsec.so.1
login account required libpam_authz.so.1
login account sufficient libpam_unix.so.1
login account required libpam_ldap.so.1
su account required libpam_hpsec.so.1
su account required libpam_authz.so.1
su account sufficient libpam_unix.so.1
su account required libpam_ldap.so.1
dtlogin account required libpam_hpsec.so.1
dtlogin account required libpam_authz.so.1
dtlogin account sufficient libpam_unix.so.1
dtlogin account required libpam_ldap.so.1
dtaction account required libpam_hpsec.so.1
dtaction account required libpam_authz.so.1
dtaction account sufficient libpam_unix.so.1
dtaction account required libpam_ldap.so.1
ftp account required libpam_hpsec.so.1
ftp account required libpam_authz.so.1
ftp account sufficient libpam_unix.so.1
ftp account required libpam_ldap.so.1
rcomds account required libpam_hpsec.so.1
rcomds account required libpam_authz.so.1
rcomds account sufficient libpam_unix.so.1
rcomds account required libpam_ldap.so.1
sshd account required libpam_hpsec.so.1
sshd account required libpam_authz.so.1
sshd account sufficient libpam_unix.so.1
sshd account required libpam_ldap.so.1
OTHER account required libpam_hpsec.so.1
OTHER account required libpam_authz.so.1
OTHER account sufficient libpam_unix.so.1
OTHER account required libpam_ldap.so.1
libpam_authz must always be a required module and should not be the only module in the
account stack. If you want the policy of libpam_authz not to affect local accounts, move it after
libpam_unix.
The following /etc/opt/ldapux/pam_authz.policy file evaluates passwords that are about
to expire and passwords that must be changed after an administrator reset.
allow:unix_local_user
PAM_NEW_AUTHTOK_REQD:ldap_filter:(pwdExpirationWarned=*)
PAM_NEW_AUTHTOK_REQD:ldap_filter:(pwdReset=true)
allow:other
The policy rules above cause libpam_authz to return the new-password-required condition
to the calling PAM-enabled application, such as the login command. If a password must be
reset after being changed, or a password is about to expire, the PAM-application (such as login)
prompts for a new password. For example:
# telnet localhost
Trying...
32 LDAP-UX Client Services