There is a good explanation about how to use pam_authz. Basically, in HP-UX systems if you have initialized a client against a LDAP server, and you’d like following server policies instead of local policies, you should keep on reading this article.
Let’s go to the issue!!
- File /etc/opt/ldapux/pam_authz.policy.master
This file is read by the script, which looks for the variable $[GTIMEZULU] and substitutes for a timestamp.# pam_authz.policy.master
deny:ldap_filter:(accountUnlockTime>=$[GTIMEZULU])
# Allow all users other than those denied above
allow:otherIn my case, I only needed to check if the user was locked or not.
Inside the indicated document previously there is a bash script that solves that issue, I just decided try with Perl. - The script
use English;
use strict;
use warnings;
use Fcntl qw(:flock :seek);
my $time="";
my $template="/etc/opt/ldapux/pam_authz.policy.master";
my $policy="/etc/opt/ldapux/pam_authz.policy";
# It should appear a system call and create the file referenced in $policy but
# this plugin does not seem to be working out.
&test_last_command();
chmod(0700,"$policy");
&update_time();
sub test_last_command(){
if ( $? != 0){
print "Error creating file\n";
exit -1;
}
}
sub update_time(){
my $line="";
open POLICY_FILE, ">$policy" or die $!;
while(1){
open TEMPLATE_FILE, "<$template" or die $!;
flock(POLICY_FILE, LOCK_EX);
seek(POLICY_FILE,0,SEEK_SET);
$time=`TZ=UTC;date "+%Y%m%d%H%M%SZ"`;
chop($time);
while(<TEMPLATE_FILE>){
$line=$_;
$line=~ s/\$\[GTIMEZULU\]/$time/g;
print POLICY_FILE $line;
}
sleep 2;
close TEMPLATE_FILE;
}
}
There was some strange problem with the highlight syntax plugin and I could not add a line. However, you can download the script directly.