LDAP-UX Client Services B.04.00 with Microsoft Windows 2000/2003 Active Directory Administrator's Guide
Administering LDAP-UX Client Services
PAM_AUTHZ Login Authorization Enhancement
Chapter 496
PAM_AUTHZ Login Authorization
Enhancement
The PAM_AUTHZ service module provides functionality that allows the
administrator to control who can login to the system based on netgroup
information found in the /etc/passwd and /etc/netgroup files.
PAM_AUTHZ has been created to provide access control similar to the
netgroup filtering feature that is performed by NIS.
Starting LDAP-UX Client Services B.04.00, PAM_AUTHZ has been
enhanced to provide administrators a simple security configuration file
to set up a local access policy to better meet their need in the
organization. PAM_AUTHZ uses the access policy to determine which
users are allowed to login to the system. A policy specifies which groups,
ldap groups, users or other access control objects (such as ldap search
filters) are allowed to login to the system. For example, you can allow or
deny access to a host or application based on his or her membership in a
group, or role within a organization. As an example, PAM_KEREBOS
and PAM_AUTHZ can be used together to authenticate and authorize
users in a Windows 2000 or 2003 environment. PAM_KERBEROS
authenticates the user. PAM_AUTHZ uses ADS groups or other user
information from the policy file, to determine if the user is authorized to
access the system.
Policy And Access Rules
Access rules are the basic elements of access control. Administrators
create access rules that restrict or permit a user’s access permission. A
policy is the collection of these different sets of access rules in a given
order. This consolidated list of rules defines the overall access strategy of
a local client machine. PAM_AUTHZ enables administrators to create an
access policy by defining different types of access rules and to save the
policy in a file.