Using the PAM ESM Module and MLDAP ESM Module together

You can secure an enterprise server with a single Security Manager using the PAM ESM Module. In this configuration there is no resource access control, only user access (signon).

To get user access control using PAM and resource access control, you will need two security mangers, one with the PAM ESM Module and one with the MLDAP ESM Module. Resource access rules will need to be configured in an LDAP repository.

In this configuration, the PAM security manager would typically appear first in the security configuration's manager list, so that PAM gets the first opportunity to verify the user. The MLDAP security manager would appear second.

If you wish to use the operating system's user-group information, you must configure group federation for the External Security Facility (ESF). See Security Federation for more information. This lets the PAM and MLDAP modules share group information. For example, if a user belongs to the operating system's group "dev", you can create access control entries for resources that refer to "dev group" in your resource control rules.

The Use all groups option on the enterprise server's Security tab, or on the Default ES Security tab, behaves typically in this configuration. If it is enabled, users will have all the permissions associated with any of their groups. If it is not enabled, users will only have the permissions associated with their signon group.