PAM ESM Module Custom Configuration Information

The PAM ESM Module supports some additional configuration that can be set by editing the text in the Configuration Information field. Text in this area is organized into sections which begin with a tag in square brackets, followed by lines in the form name=value.

The following lists the various configuration sections, and the options that can be set in each section:

[Operation] section

maxgroups=number

Set the maximum number of user groups supported in Use all groups mode. This must be at least as large as the number of groups that include any user who will sign on to the region. The default value is 64 and the maximum value is 9999. Increasing this value consumes more shared memory and increases processing time for authorization requests. Micro Focus recommends keeping this value close to the actual number of user groups you have specified. It has no effect when the Use all groups option is not checked.

Note: If you have multiple PAM and/or MLDAP ESMs stacked in a security configuration, then you must have the same setting for maxgroups, unless Federation is explicitly disabled.
process groups=yes|no
This can be set to no to disable all processing of groups. When it is enabled, the PAM ESM Module attempts to determine the set of operating-system user groups that the user belongs to, using standard Linux/UNIX APIs. Group membership is not a PAM feature. If the Use all groups option is checked, the groups will be added to the user's group list. If Use all groups is unchecked, then if the user specified a signon group, the module confirms that the user belongs to that group and sets the ACEE group accordingly. Otherwise, the ACEE group is set to the user's default group.

The default value is yes or enabled.

group filter=string
If configured with a wildcard containing string, the PAM ESM module will only select groups whose names match the pattern given by the group filter configuration option. The default value is *.

For example:

  • group filter = mf* will only select groups beginning with mf.
  • group filter = *es* will only select groups starting with or containing es as a substring.
Note: This does not apply to the user's default group.

[Passtoken] section

enable=yes|no|self

This controls whether passtokens are supported by this security manager. If this is set to yes, self and surrogate passtokens are enabled. Setting it to no disables all passtokens. Setting it to self enables self-passtokens only. The default value is no.

Note: Even if passtokens are disabled in one security manager, another manager might provide them.
secret=string

Set the secret data which serve as the key for the Message Authentication Code (MAC) in ESF Passtokens generated by the ESM Module. This data prevents attackers who do not know it from forging passtokens.

Note: Any setting here is not secret to anyone who can read the MFDS repository.

If this value is set, it must be set the same for all security domains (MFDS and ES regions) that exchange passtokens.

secretfile=path
Set the path to a file that contains the secret data for the passtoken MAC. This is more secure than setting the secret data directly in the configuration. If secretfile is set, any secret directive is ignored. If neither is set, a built-in default is used, this is less secure.
duration=seconds
Set the duration for passtokens in seconds. A token is valid for this length of time after it is generated; after that it is rejected. The default value is 60 seconds.
table size=size

Sets the size of the table used to store passtokens. If passtokens are being used for multi-factor authentication, then this table must be larger than the peak number of users concurrently logging on. The default size is 64.

Note: Increasing the size degrades performance by increasing memory requirements.
short passtoken reuse=yes|no
Sets whether or not short passtokens, which are used for multi-factor authentication, can be used once or multiple times and until they expire based on the duration option. The default value is no.

[Trace] section

Config=yes|no
Setting this to yes triggures the module to emit a message for each valid configuration setting specified in the Configuration Information field of your Security Manager. This can be used for auditing and debug purposes. By defaut, this option is set to no.
Conversation=setting
Log various messages regarding the processing of PAM conversations, which are interactions between the PAM ESM Module and PAM providers. If this is set to a string beginning with "y" or to "1", the ESM Module makes a log message each time its conversation callback is invoked.
Conversation errors=setting
Log error messages and codes received during the processing of PAM conversations. If this is set to a string beginning with "y" or to "1", the ESM Module makes a log message with additional information regarding PAM errors. PAM errors cause the Verify operation to fail or be denied with the appropriate ESF return codes, but by default the exact details are not logged.
Groups=setting
Log various messages regarding the processing of user groups. If this is set to a string beginning with "y" or to "1", the ESM Module makes a log entry when it determines that a user belongs to a group during Verify. This is useful when debugging problems when Use all groups is checked.
TraceN=rule

Define a rule for filtered tracing. Filtered tracing lets you trace only requests that meet a set of conditions, defined by the tracing rule. N in the name is a number from 1 through 8, the maximum number of filtered-tracing rules. For example, Trace1, Trace2, and so on. You can specify rules out of order and skip numbers - they only need to be unique and between 1 through 8.)

A tracing rule has the format:

function:actor:result

where:

function
The only function provided by the PAM ESM Modeule is verify.
actor
This is a username. You can use wildcards.
result
This can be one of the following values:
  • allow
  • deny
  • unknown
  • fail
  • any
  • debug

The request is traced if all of the conditions of the rule are met. Tracing means one or more informational messages about the request is written to the log. A result setting of debug is logged based on any result (like any), but may log additional information during processing a request that matches the function and actor.

For example:

verify:SYSAD:deny

This traces Verify (signon) requests where the SYSAD user is denied.

Filtered tracing can be used to isolate issues on busy systems, where normal tracing would produce excessive output. It does affect performance, since each request must be examined to see if it matches a trace rule.

Verify=setting
Log various messages regarding the processing of Verify requests. If this is set to a string beginning with "y" or "1", then the ESM Module makes one or more informational log entries with additional information about each Verify request.