Operating System - HP-UX

1827448 Members

5632 Online

109965 Solutions

PAM authentication service module - "authorization" problem

We are researching and testing the use of LDAP-UX with PAM/Kerberos to perform UNIX user account management with MS Active Directory.

We have succeeded in installing all the current products necessary and are able to "authenticate" UNIX users from AD.

Problem: unable to "authorize" UNIX users correctly.

We have the following as the first entry in the account management section of /etc/pam.conf:
login auth required /usr/lib/security/libpam_authz.1 debug

We also have the following entry in /etc/opt/ldapux/pam_authz.policy:
deny:unix_user:xxxxxxxx

I expected user "xxxxxxxx" to be denied access to the system BUT the user was granted access and provided a command prompt.

The debug.log shows the following:
Jan 20 15:57:48 sysname login: PAM_AUTHZ Entering pam_sm_authenticate ...
Jan 20 15:57:48 sysname login: PAM_AUTHZ pam_sm_authenticate(login, xxxxxxxx), flags = 0
Jan 20 15:57:48 sysname login: PAM_AUTHZ Entering check_authorization() ...
Jan 20 15:57:48 sysname login: PAM_AUTHZ pam_sm_authenticate returns (0)!
Jan 20 15:57:55 s1x011 login: PAM_AUTHZ Entering pam_sm_setcred ...

It appears to me that the authorization function does not work correctly. Can anyone tell me why the PAM "authorization" function is allowing access when it should be denying it?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

PAM authentication service module - "authorization" problem

PAM authentication service module - "authorization" problem