LDAP-UX Integration B.04.20 Release Notes (June 2009)
sshd account required libpam_hpsec.so.1
sshd account required libpam_authz.so.1
sshd account sufficient libpam_unix.so.1
sshd account required libpam_ldap.so.1
OTHER account required libpam_hpsec.so.1
OTHER account required libpam_authz.so.1
OTHER account sufficient libpam_unix.so.1
OTHER account required libpam_ldap.so.1
libpam_authz must always be a required module and should not be the only module in the
account stack. If you want the policy of libpam_authz not to affect local accounts, move it after
libpam_unix.
The following /etc/opt/ldapux/pam_authz.policy file evaluates passwords that are about
to expire and passwords that must be changed after an administrator reset.
allow:unix_local_user
PAM_NEW_AUTHTOK_REQD:ldap_filter:(pwdExpirationWarned=*)
PAM_NEW_AUTHTOK_REQD:ldap_filter:(pwdReset=true)
allow:other
The policy rules above cause libpam_authz to return the new-password-required condition
to the calling PAM-enabled application, such as the login command. If a password must be
reset after being changed, or a password is about to expire, the PAM-application (such as login)
prompts for a new password. For example:
# telnet localhost
Trying...
Connected to localhost.
Escape character is '^]'.
Local flow control on
Telnet TERMINAL-SPEED option ON
HP-UX hostname B.11.31 U ia64 (tc)
login: username
Password: Your password has expired. Choose a new one
Old password:
New password:
Re-enter new password:
Passwd successfully changed
login:
NOTE: This password expiration policy evaluation only triggers during the password expiration
warning grace period (as defined by pwdExpireWarning). If the password is expired,
authentication fails and the user is not prompted to change his password. If this condition occurs,
the password must be reset using an external mechanism.
34 LDAP-UX Client Services