LDAP-UX Client Services B.04.00 with Microsoft Windows 2000/2003 Active Directory Administrator's Guide
Administering LDAP-UX Client Services
PAM_AUTHZ Login Authorization Enhancement
Chapter 4102
unix_user
This option indicates that an administrator wants to
control the login access by examining a user’s login
name with a list of predefined users. If the login name
matches one of the user names in the list, the
authorization statement is evaluated to be true. The
final access right is determined by evaluating the
<action> field. An example of a unix_user type of
access rule is as follows:
allow:unix_user:myuser1,myuser2,myuser3
If a myuser3 user attempts to login, the above access
rule is evaluated to be true and the user is granted
login access.
unix_group
This option specifies that an administrator wants to
control the login access right using the user’s group
membership. You can specify a list of group name in
the <object> field. PAM_AUTH retrieves the group
information of each listed group by querying the name
services specified in nsswitch.conf. That means the
group entries may come from any sources (files, nis,
ldap, etc). If the login user belongs to any groups in the
list, the access rule is evaluated to be true. Otherwise,
the rule is skipped. An example of a unix_group access
rule is shown as follows:
deny:unix_group:myunixgroup10,myunixgroup11,\
myunixgroup12
A user tries to login and he is a member of
myunixgroup12. The rule is evaluated to be true and
the <action> is applied. The user is restricted from
access to the machine even with a valid password.
netgroup
This option specifies that the access permission is
determined by the user’s netgroup membership. You
must specify a list of netgroup name in the <object>
field. If the user is a member of one of the netgroups
specified in the netgroup list, then the access rule is