pam_dce(5)                        HP DCE                         pam_dce(5)




 NAME    [Toc]    [Back]
      pam_dce - authentication, account, and password management PAM
      functions for DCE

 SYNOPSIS    [Toc]    [Back]
      /usr/lib/security/libpam_dce.so.1

 DESCRIPTION    [Toc]    [Back]
      The DCE PAM modules allow integration of DCE into the system entry
      services (such as login, telnet, rlogin, ftp) through the pam.conf(4)
      file.  The DCE service module for PAM consists of the following three
      modules: the authentication module, the account management module, and
      the password management module.  All three modules are supported
      through the same loadable library, /usr/lib/security/libpam_dce.so.1
      ilogind is the interface that services the requests from
      /usr/lib/security/libpam_dce.so.1 These requests will be communicated
      to the DCE security server, which in turn sends the response back to
      ilogind. This response is then sent back to
      /usr/lib/security/libpam_dce.so.1.

 Authentication Module    [Toc]    [Back]
      The authentication module certifies the identity of a user and the
      user's credentials.  It passes the authentication key derived from the
      user's password to the DCE Security Service.  The Security Service
      then uses the authentication key to certify the user and the user's
      credentials.  The following options can be passed to the
      authentication module through the pam.conf(4) file:

           debug          Turn on syslog debugging at the LOG_DEBUG level.

           nowarn         Turn off warning messages about not being able to
                          acquire DCE credentials.

           use_first_pass Use the initial password (entered when the user is
                          authenticated to the first authentication module
                          in the stack) to authenticate with DCE.  If the
                          user can not be authenticated or if this is the
                          first authentication module in the stack, quit and
                          do not prompt a password. It is recommended that
                          this option be used only if the authentication
                          module is designated as optional in the
                          pam.conf(4) configuration file.

           try_first_pass Use the initial password (entered when the user is
                          authenticated to the first authentication module
                          in the PAM stack) to authenticate with DCE. If the
                          user cannot be authenticated or if this is the
                          first authentication module in the stack, prompt
                          for a password.





 Hewlett-Packard Company            - 1 -            HP DCE/9000 Version 1.9






 pam_dce(5)                        HP DCE                         pam_dce(5)




      A user must be authenticated and the user's credentials set before a
      system entry service can access any file directories owned by the user
      that are mounted through DTS.

 Account Management Module    [Toc]    [Back]
      The account management module provides a function to perform account
      management (pam_sm_acct_mgmt(3)). ilogind sends a request to the
       DCE implementation of pam_sm_acct_mgmt(3) function which retrieves
      the user's account and password expiration information from the DCE
      Security Server and verifies that the user's account and password have
      not expired.  The following options can be passed to the account
      module through the pam.conf(4) file:

           debug               Turn on syslog debugging at the LOG_DEBUG
                               level.

           nowarn              Turn off warning messages displayed when a
                               user's account and/or password are going to
                               expire.

      pam_sm_acct_mgmt(3) calls the function sec_login_inquire_net_info(3)
      to retrieve information about when a user's account and/or password is
      going to expire.


 Password Management Module    [Toc]    [Back]
      The password management module provides a function to change passwords
      (pam_sm_chauthtok(3)). The following options can be passed to the
      password module through the pam.conf(4) file:

           debug          Turn on syslog debugging at the LOG_DEBUG level.

           nowarn         Turn off warning messages about not being able to
                          change passwords.

           try_first_pass Use the initial password (entered to the first
                          password module in the PAM stack) to authenticate
                          with DCE.  If the user cannot be authenticated or
                          if this is the first password module in the stack,
                          prompt for a password.

           use_first_pass Use the initial password (entered to the first
                          password module in the PAM stack) to authenticate
                          with DCE. If user cannot be authenticated or if
                          this is the first password module in the stack,
                          quit and do not prompt for a password. It is
                          recommended that this option be used only if the
                          DCE password module is designated as optional in
                          the pam.conf(4) configuration file.





 Hewlett-Packard Company            - 2 -            HP DCE/9000 Version 1.9






 pam_dce(5)                        HP DCE                         pam_dce(5)




 SEE ALSO    [Toc]    [Back]
      pam(3), sec_login_setup_identity(3),
      sec_login_valid_and_cert_ident(3), sec_login_set_context(3),
      sec_login_inquire_net_info(3), pam.conf(4), pam_unix(5) ilogind(1m)


 Hewlett-Packard Company            - 3 -            HP DCE/9000 Version 1.9