LDAP-UX Client Services B.04.00 Administrator's Guide
Administering LDAP-UX Client Services
PAM_AUTHZ Login Authorization Enhancement
Chapter 4 117
In the above example, if a user reports to paulw and
the user’s job is related to marketing, then the user is
granted the login access. The rule structure is very
flexible about how to define access for certain groups of
users.
other
PAM_AUTHZ ignores any access rules defined in the
<object> field. The access rule is evaluated to be true
immediately. For example,
allow:other
In the above example, all users are granted the login
access to the machine. The primary usage of this type
of rule is to toggle PAM_AUTHZ default <action>.
<object> The values in this field define the policy criteria that
PAM_AUTHZ uses to validate with the login name.
The values in this field are dependent on the option
that is stated in the <type> field.
Policy Validator
PAM_AUTHZ works as a policy validator. Once it receives a PAM
request, it starts to process the access rules defined in
pam_authz.policy. It validates and determines the user’s login
authorization based on the user’s login name and the information it
retrieves from various name services. The result is then returned to the
PAM framework.
PAM_AUTHZ processes access rules in the order they are defined in the
pam_authz.policy. It stops processing the access rules when any one of
the access rules is evaluated to be true (match). That rule is called the
"authorative" rule. If any access rule is evaluated to be false (no match),
the rule is skipped. If all access rules in the policy file have been
evaluated but the user’s access right can not be determined, the user is
restricted from login.
NOTE The default <action> of PAM_AUTHZ is "deny" if no authorative rule is
found.