Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 LDAP-UX Client Services B.04.10 with Microsoft Windows Active Directory Administrator's Guide: HP-UX 11i v1 and v2

Appendix G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

This Appendix provides a sample PAM configuration file, /etc/pam.conf, used on the HP-UX 11i v2 system to support the coexistence of LDAP-UX and Trusted Mode. If your directory server is the Microsoft Windows 2000 or 2003 Active Directory Server and your LDAP client is in the Trusted Mode, the /etc/pam.conf file must be configured as shown in the following example file.

Use the following steps to create the /etc/pam.conf example file on the HP-UX 11i v2 system:

  1. copy the /etc/pam.krb5 file to the /etc/pam.conf file.

  2. Edit the /etc/pam.conf file and change the control flag for the libpam_krb5.so.1 entries to "required" under the Session management session.

  3. Add the try_first_pass option to the libpam_unix.so.1 entry under the Password management to avoid prompting " old password" twice when a local user changes his password or when a local user logs in with an expired password. 

#
# PAM configuration
#
# This pam.conf file is intended as an example only.
# see pam.conf(4) for more details
# 

################################################################
# This sample file will authenticate the user who belongs to   #
# either Kerberos or Unix system. Using this configuration file#
# if the user is authenticated through Kerberos then the Unix  #
# authentication will not be invoked. However,if the Kerberos  #
# authentication fails for the user, then the fallback         #
# authentication mechanism PAM-Unix will be invoked to         #
# authenticate the user.The assumption is the user is either   #
# present in Kerberos or in Unix system.                       #
#                                                              #
# In case, the administrator wants the password for all the    #
# users to be synchronous between Kerberos and Unix systems,   #
# then the control flag should be set to "required" for all    #
# the entries with user_first_pass option set for pam_unix.    #
# If password synchronization is optional then try_first_pass  #
# option need to be set for pam_unix, so that the user can     #
# login using the appropriate passwords.                       #
#                                                              #
# The module pam_hpsec(5) is stacked as mandatory module above # 
# all the modules for making security checks before            # 
# authentication.                                              # 
################################################################

#
# Authentication management
#
login      auth required       libpam_hpsec.so.1
login      auth sufficient     libpam_krb5.so.1
login      auth required       libpam_unix.so.1 try_first_pass
su         auth required       libpam_hpsec.so.1
su         auth sufficient     libpam_krb5.so.1
su         auth required       libpam_unix.so.1 try_first_pass
dtlogin    auth required       libpam_hpsec.so.1
dtlogin    auth sufficient     libpam_krb5.so.1
dtlogin    auth required       libpam_unix.so.1 try_first_pass
dtaction   auth required       libpam_hpsec.so.1
dtaction   auth sufficient     libpam_krb5.so.1
dtaction   auth required       libpam_unix.so.1 try_first_pass
ftp        auth required       libpam_hpsec.so.1
ftp        auth sufficient     libpam_krb5.so.1
ftp        auth required       libpam_unix.so.1 try_first_pass
OTHER      auth required       libpam_unix.so.1
#
# Account management
#
login      account required    libpam_hpsec.so.1
login      account sufficient  libpam_krb5.so.1
login      account required    libpam_unix.so.1
su         account required    libpam_hpsec.so.1
su         account sufficient  libpam_krb5.so.1
su         account required    libpam_unix.so.1
dtlogin    account required    libpam_hpsec.so.1
dtlogin    account sufficient  libpam_krb5.so.1
dtlogin    account required    libpam_unix.so.1
dtaction   account required    libpam_hpsec.so.1
dtaction   account sufficient  libpam_krb5.so.1
dtaction   account required    libpam_unix.so.1
ftp        account required    libpam_hpsec.so.1
ftp        account sufficient  libpam_krb5.so.1
ftp        account required    libpam_unix.so.1
OTHER      account required    libpam_unix.so.1
#
# Session management
#
login      session required    libpam_hpsec.so.1
login      session required    libpam_krb5.so.1
login      session required    libpam_unix.so.1
dtlogin    session required    libpam_hpsec.so.1
dtlogin    session required    libpam_krb5.so.1
dtlogin    session required    libpam_unix.so.1
dtaction   session required    libpam_hpsec.so.1
dtaction   session required    libpam_krb5.so.1
dtaction   session required    libpam_unix.so.1
OTHER      session required    libpam_unix.so.1
#
# Password management
#
login      password required   libpam_hpsec.so.1
login      password sufficient libpam_krb5.so.1
login      password required   libpam_unix.so.1 try_first_pass
passwd     password required   libpam_hpsec.so.1
passwd     password sufficient libpam_krb5.so.1
passwd     password required   libpam_unix.so.1 try_first_pass
dtlogin    password required   libpam_hpsec.so.1
dtlogin    password sufficient libpam_krb5.so.1
dtlogin    password required   libpam_unix.so.1 try_first_pass
dtaction   password required   libpam_hpsec.so.1
dtaction   password sufficient libpam_krb5.so.1
dtaction   password required   libpam_unix.so.1 try_first_pass
OTHER      password required   libpam_unix.so.1 try_first_pass


Appendix F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
  		 


Appendix H Sample PAM Configuration File for Security Policy Enforcement  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2006 Hewlett-Packard Development Company, L.P.