The PAM ESM Module supports some additional configuration that can be set by editing the text in the
Configuration Information field. Text in this area is organized into sections which begin with a tag in square brackets, followed by lines in the form
name=value.
The following lists the various configuration sections, and the options that can be set in each section:
[Operation] section
- maxgroups=number
-
Set the maximum number of user groups supported in
Use all groups mode. This must be at least as large as the number of groups that include any user who will sign on to the region. The default
value is 64 and the maximum value is 9999. Increasing this value consumes more shared memory and increases processing time
for authorization requests.
Micro Focus recommends keeping this value close to the actual number of user groups you have specified. It has no effect when the
Use all groups option is not checked.
Note: If you have multiple PAM and/or MLDAP ESMs stacked in a security configuration, then you must have the same setting for
maxgroups, unless Federation is explicitly disabled.
- process groups=yes|no
- This can be set to
no to disable all processing of groups. When it is enabled, the PAM ESM Module attempts to determine the set of operating-system
user groups that the user belongs to, using standard Linux/UNIX APIs. Group membership is not a PAM feature. If the
Use all groups option is checked, the groups will be added to the user's group list. If
Use all groups is unchecked, then if the user specified a signon group, the module confirms that the user belongs to that group and sets
the ACEE group accordingly. Otherwise, the ACEE group is set to the user's default group.
The default value is
yes or enabled.
- group filter=string
[8]
- If configured with a wildcard containing string, the PAM ESM module will only select groups whose names match the pattern
given by the
group filter configuration option. The default value is
*.
For example:
- group filter = mf* will only select groups beginning with
mf.
- group filter = *es* will only select groups starting with or containing
es as a substring.
Note: This does not apply to the user's default group.
[Passtoken] section
- enable=yes|no|self
-
This controls whether passtokens are supported by this security manager. If this is set to
yes, self and surrogate passtokens are enabled. Setting it to
no disables all passtokens. Setting it to
self enables self-passtokens only. The default value is
no.
Note: Even if passtokens are disabled in one security manager, another manager might provide them.
- secret=string
-
Set the secret data which serve as the key for the Message Authentication Code (MAC) in ESF Passtokens generated by the ESM
Module. This data prevents attackers who do not know it from forging passtokens.
Note: Any setting here is not secret to anyone who can read the MFDS repository.
If this value is set, it must be set the same for all security domains (MFDS and ES regions) that exchange passtokens.
- secretfile=path
- Set the
path to a file that contains the secret data for the passtoken MAC. This is more secure than setting the secret data directly
in the configuration. If
secretfile is set, any secret directive is ignored. If neither is set, a built-in default is used, this is less secure.
- duration=seconds
- Set the duration for passtokens in seconds. A token is valid for this length of time after it is generated; after that it
is rejected. The default value is 60 seconds.
- table size=size
-
Sets the size of the table used to store passtokens. If passtokens are being used for multi-factor authentication, then this
table must be larger than the peak number of users concurrently logging on. The default size is 64.
Note: Increasing the size degrades performance by increasing memory requirements.
- short passtoken reuse=yes|no
- Sets whether or not short passtokens, which are used for multi-factor authentication, can be used once or multiple times
and until they expire based on the
duration option. The default value is
no.
[Trace] section
- Config=yes|no
- Setting this to
yes triggures the module to emit a message for each valid configuration setting specified in the
Configuration Information field of your Security Manager. This can be used for auditing and debug purposes. By defaut, this option is set to
no.
- Conversation=setting
- Log various messages regarding the processing of PAM conversations, which are interactions between the PAM ESM Module and
PAM providers. If this is set to a string beginning with "y" or to "1", the ESM Module makes a log message each time its conversation
callback is invoked.
- Conversation errors=setting
- Log error messages and codes received during the processing of PAM conversations. If this is set to a string beginning with
"y" or to "1", the ESM Module makes a log message with additional information regarding PAM errors. PAM errors cause the Verify
operation to fail or be denied with the appropriate ESF return codes, but by default the exact details are not logged.
- Groups=setting
- Log various messages regarding the processing of user groups. If this is set to a string beginning with "y" or to "1", the
ESM Module makes a log entry when it determines that a user belongs to a group during Verify. This is useful when debugging
problems when
Use all groups is checked.
- TraceN=rule
-
Define a rule for filtered tracing. Filtered tracing lets you trace only requests that meet a set of conditions, defined
by the tracing rule.
N in the name is a number from 1 through 8, the maximum number of filtered-tracing rules. For example, Trace1, Trace2, and
so on. You can specify rules out of order and skip numbers - they only need to be unique and between 1 through 8.)
A tracing rule has the format:
function:actor:result
where:
- function
- The only function provided by the PAM ESM Modeule is
verify.
- actor
- This is a username. You can use wildcards.
- result
- This can be one of the following values:
- allow
- deny
- unknown
- fail
- any
- debug
The request is traced if all of the conditions of the rule are met. Tracing means one or more informational messages about
the request is written to the log. A result setting of
debug is logged based on any result (like any), but may log additional information during processing a request that matches the
function and actor.
For example:
verify:SYSAD:deny
This traces Verify (signon) requests where the SYSAD user is denied.
Filtered tracing can be used to isolate issues on busy systems, where normal tracing would produce excessive output. It does
affect performance, since each request must be examined to see if it matches a trace rule.
- Verify=setting
- Log various messages regarding the processing of Verify requests. If this is set to a string beginning with "y" or "1", then
the ESM Module makes one or more informational log entries with additional information about each Verify request.