pam.ignore.users

This configuration parameter specifies one or more users that the agent will ignore for lookup in Active Directory. This configuration parameter ignores listed users for authentication and NSS lookups. Because this parameter allows you to intentionally skip looking up an account in Active Directory, it allows faster lookup for system accounts such as tty, root, and bin and local login accounts.

Note:   Starting with Centrify DB2 agent 5.2.3, the db2.implement.pam.ignore.users parameter controls whether the agent checks pam.ignore.users. The pam.ignore.users parameter is checked only if db2.implement.pam.ignore.users is set to true. If db2.implement.pam.ignore.users is set to false, pam.ignore.users is not checked, and all users are authenticated in Active Directory. See db2.implement.pam.ignore.users for more information about db2.implement.pam.ignore.users.

In most cases, you set this configuration parameter using group policy. This list is then stored in the /etc/centrifydc/user.ignore file and used to disable lookups in Active Directory for the users specified.You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.

If you are manually setting this parameter, the parameter value should be one or more user names, separated by a space, or the file: keyword and a file location. For example, to specify a list of users to authenticate locally:

pam.ignore.users: root sys tty

To specify a file that contains a list of the users to ignore:

pam.ignore.users: file:/etc/centrifydc/users.ignore

If this parameter is not defined in the configuration file, no users are specified.

Skipping Active Directory authentication for local AIX users

By default, the agent modifies the AIX Loadable Authentication Module (LAM) for the SYSTEM user attribute to look like this:

SYSTEM=CENTRIFYDC OR CENTRIFYDC[NOTFOUND] AND compat

This setting specifies that the first attempt to authenticate a user should be passed to Active Directory through the agent. In some cases, however, you may have local user accounts that you only want to authenticate locally. Although there are parameters in the access control configuration file (centrifydc.conf) that enable you to ignore Active Directory authentication for specific local users, these parameters are not completely applicable on computers running AIX. To exclude any local user account from Active Directory authentication on AIX, you can run the following command for the user:

chuser SYSTEM=compat username 

Alternatively, you can edit the /etc/security/user file and change the stanza for a particular user’s SYSTEM attribute to:

SYSTEM=compat

If you later decide you want to migrate the local user account to use Active Directory, you can run the following command for the user to reset the default authentication:

chuser SYSTEM= username 

Note:   To reset the user account to be authenticated through Active Directory, there must be a space after the equal sign (=) in the command line.