Showing results for 
Search instead for 
Did you mean: 

CDE login using pam_authz authorization

Jens Keinath
Occasional Visitor

CDE login using pam_authz authorization

Is there a way to get the /opt/ldapux/pam_authz.policy checks applied when login in via CDE?
In our system (HP-UX 11i), user authentication is setup using a Redhat Directory Server. The pam_authz.policy rules are applied correctly, when using a console login (the syslog.debug log shows correct pam_authz rule evaluation information).
Whenever we login via CDE, the pam_autz.policy rules are ignored. In this case, the syslog.debug log doesn't show any pam_autz.policy debug information but an entry with "pam_authentication error"!?
Nevertheless, the authentication worked fine, despite of this syslog error entry.
Steven E. Protter
Exalted Contributor

Re: CDE login using pam_authz authorization


Few things:

1) You are right to not ignore the error.
2) I'm betting you may get the same error with other login types other than CDE
3) If I'm wrong on #2, you may fix the issue by patching, it could be a CDE problem.
4) If authentication is fine, CDE authenticationi should follow all pam rules. You can test this by changing the rules and seeing if CDE behavior changes.

Steven E Protter
Owner of ISN Corporation
Jens Keinath
Occasional Visitor

Re: CDE login using pam_authz authorization

Thanks Steven,

2) I'll have to check, if the error occurs for non CDE login types, too.

4) CDE authentication is working fine and follows the PAM rules. I could verify that for the "auth" entry within the pam.conf file.

Nevertheless, it seems that the account checking rules of the libpam_authz.1 module do not work for CDE login where the same configuration is working for console login as expected.

Does someone know about a CDE problem/patch?

Frequent Advisor

Re: CDE login using pam_authz authorization

You may have already checked this, but CDE uses 'dtlogin' and not 'login', so the pam_authz lines in pam.conf have to be applied to the 'dtlogin' lines. If 'dtlogin' lines don't exist then the default used are the 'OTHER' lines in pam.conf.