LDAP-UX Client Services B.04.00 Administrator's Guide
Administering LDAP-UX Client Services
PAM_AUTHZ Login Authorization Enhancement
Chapter 4116
evaluated to be true. PAM_AUTH obtains the netgroup
information by querying the name services specified in
nsswitch.conf. For example:
allow:netgroup:netgroup1,netgroup2,netgroup3
A user tries to login and he belongs to netgroup1. The
above access rule is evaluated to be true. The user is
granted login access
ldap_group
This option specifies that an access rule is based on the
non-POSIXGroup membership. PAM_AUTHZ supports
ldap group with groupOfNames or
groupOfUniqueNames objectclass. A list of ldap_group
names is specified in the <object> field. The group
membership information is stored in the LDAP
directory server. An example of a ldap_group type of
access rule is as follows:
deny:ldap_group:engineering_ldapgroup,support
_ldapgroup,epartner_ldapgroup
PAM_AUTHZ retrieves group membership of each
listed group from the directory server through
LDAP-UX client services. Then, it examines if the
user’s Distinguished Name (DN) matches any value in
the member or uniquemember attribute.
ldap_filter
In a role based access management, permission to
access a resource can be controlled based on the user’s
role such as sales force, technical support or subscriber
status and are typically defined by common business
attributes of users based on company policies. The
same concept is applied to the ldap_filter access
rule. A search filter is defined in <object> field. A
search filter consists of one or more (attribute=value)
pairs. If the user entry is successfully retrieved from a
directory server by using the search filter, the access
rule is considered to be true. An example of
ldap_filter type of access rule is as follows:
allow:ldap_filter:(&(manager=paulw)(business\
category=marketing))