Standards, Environments, and Macros	  pam_unix_user_policy(5)



NAME
     pam_user_policy - PAM user	authentication policy module

SYNOPSIS
     pam_user_policy.so.1

DESCRIPTION
     The pam_user_policy module	checks to see that the PAM_USER
     is	set to a non-empty value, looks	up the name of a PAM
     configuration to use for that user	in the user's pam_policy
     user attribute (see user_attr(4)) or in the pam_policy
     attribute of the user's profiles in the listed order ((see
     prof_attr(4)) and includes	the named configuration	by
     calling pam_eval(3PAM).

     In	the auth stack,	if PAM_USER is not set then
     pam_user_policy prompts for a username and	sets PAM_USER.
     The prompt	string used is the same	as is used by
     pam_authtok_get(5).

     If	a user's pam_policy user or profile attribute is not
     found or has an empty value then pam_user_policy returns
     PAM_IGNORE.  This allows pam_user_policy to be stacked as
     binding at	the top	of any stack in	/etc/pam.conf without
     having any	effect until the pam_policy user attribute is
     added to individual users or their	profiles.

     "/usr/lib/security/" is prepended to any non-absolute file
     paths listed in a user's pam_policy user or profile
     attribute;	see pam_eval(3PAM).

RETURN VALUES
     If	the PAM_USER item is not set then, in the auth stack,
     pam_user_policy prompts for a PAM_USER and	returns
     PAM_USER_UNKNOWN if the user enters an empty username or if
     the conversation function returns anything	other than
     PAM_SUCCESS.

     If	the PAM_USER item is not set then for any stack	other
     than auth pam_user_policy returns PAM_IGNORE.

     If	the PAM_USER has no pam_policy user or profile attribute,
     or	if its pam_policy attribute's value is empty, then
     pam_user_policy returns PAM_IGNORE.

     Otherwise pam_user_policy returns the value returned by
     pam_eval(3PAM) when called	to evaluate the	configuration
     associated	with the PAM_USER, though if pam_eval(3PAM)
     returns PAM_IGNORE	then pam_user_policy returns the default
     error for the current stack (e.g.,	PAM_AUTH_ERR).





21/Apr/105		Last change: 5.11			1






Standards, Environments, and Macros	  pam_unix_user_policy(5)



FILES
     A number of pam.conf files	for inclusion by pam_user_policy
     can be found in /usr/lib/security/:

     o	 unix.conf -- use only Unix passwords for authentication,
	 Unix for account management

     o	 krb5.conf -- use Kerberos V only for authentication,
	 Unix for account management

     o	 krb5-fallback-unix.conf -- use	Kerberos V for
	 authentication	with fallback on Unix authentication, and
	 use Unix for account management

     o	 ldap.conf -- use LDAP BIND for	authentication and LDAP
	 for account management

     o	 any.conf -- try Kerberos V, LDAP and Unix, in that
	 order,	and as sufficient, for authentication, and
	 account management;

EXAMPLES
     1.	 pam_policy=krb5.conf;

	 Indicates that	the user should	be authenticated with
	 Kerberos V for	all services.

     2.	 pam_policy=custom1.conf

	 Indicates that	the configuration
	 /usr/lib/security/custom1.conf	should be used for this
	 user.	Such a custom configuration might have different
	 configurations	for different services,	such as	requiring
	 Unix authentication for console logins	but Kerberos V
	 for all other services.

     3.	 pam_policy=/etc/pam-custom2.conf

	 Indicates that	the configuration  /etc/pam-custom2.conf
	 should	be used	for this user.	Such a custom
	 configuration might have different configurations for
	 different services, such as requiring Unix
	 authentication	for console logins but Kerberos	V for all
	 other services.

ATTRIBUTES
     See attributes(5) for descriptions	of the following
     attributes:

     ____________________________________________________________
     |	     ATTRIBUTE TYPE	   |	   ATTRIBUTE VALUE
     |



21/Apr/105		Last change: 5.11			2






Standards, Environments, and Macros	  pam_unix_user_policy(5)



     |_____________________________|_____________________________|
     | Interface Stability	   |
     |
     |_____________________________|_____________________________|
     |	 pam_user_policy.so.1	   | Stable
     |
     |_____________________________|_____________________________|
     |	 unix.conf		   | Stable
     |
     |_____________________________|_____________________________|
     |	 krb5.conf		   | Stable
     |
     |_____________________________|_____________________________|
     |	 krb5-fallback-unix.conf   | Stable
     |
     |_____________________________|_____________________________|
     |	 ldap.conf		   | Stable
     |
     |_____________________________|_____________________________|
     |	 any.conf		   | Stable
     |
     |_____________________________|_____________________________|
     | MT-Level			   |
     |
     |_____________________________|_____________________________|
     |	 pam_user_policy.so.1	   | MT-Safe with exceptions
     |
     |_____________________________|_____________________________|

SEE ALSO
     pam(3PAM),	pam_eval(3PAM),	user_attr(4), prof_attr(4),
     pam_authtok_get(5)























21/Apr/105		Last change: 5.11			3