LDAP-UX Client Services B.04.00 Administrator's Guide
Administering LDAP-UX Client Services
Adding a Directory Replica
Chapter 4118
The following describes situations where PAM_AUTHZ skips an access
rule and does not process it:
• An access rule contains the wrong syntax.
• PAM_AUTHZ processes the ldap_filter and ldap_gorup types
of access rules by querying the LDAP directory server through
ldapclientd daemon. If LDAP-UX Client Services is not running,
PAM_AUTHZ skips all the ldap_filter and ldap_group types of
rules.
An Example of /etc/opt/ldapux/pam_authz.policy File
The following shows an example of the
/etc/opt/ldapux/pam_authz.policy file:
allow:unix_user:user1,user2,user3
allow:unix_group:group1,group2
deny:unix_group:group11,group12
allow:netgroup:netgroup1,netgroup2
allow::ldap_group:ldapgroup1,ldapgroup2
allow:ldap_filter:(&(manager=Joeh) (department=marketing))
PAM_AUTHZ processes access rules in the order they are defined in the
pam_authz.policy file. It stops evaluating the access rules when any
one of the access rule is matched. In the above example, if the user2 user
attempts to login, it matches one of the user names in the first access
rule, PAM_AUTHZ stops evaluating the rest of the access rules and
allows the user2 user to login. If the user3 user is a member of the
ldapgroup2 group, this is only group that this user belongs to.
PAM_AUTHZ starts to validate user3’s login access by evaluating all the
access rule defined in pam_authz.policy. The fifth access rule is
evaluated, the user3 is a member of the listed group, ldapgroup2. The
user3 user is granted the login access.
Adding a Directory Replica
Your LDAP directory contains configuration profiles downloaded by each
client system and name service data accessed by each client system. As
your environment grows, you may need to add a directory replica to your