Manualshelf

LDAP-UX Client Services B.04.10 Administrator's Guide (edition 7)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
919293949596979899100
PAM_AUTHZ Login Authorization
The Pluggable Authentication Module (PAM) is an industry standard authentication framework
that is supplied as an integrated part of the HP-UX system. PAM gives system administrators
the flexibility of choosing any authentication service available on the system to perform
authentication. The PAM framework also allows new authentication service modules to be
plugged in and made available without modifying the PAM enabled applications.
The PAM framework, together with the PAM_AUTHZ service module supplied with LDAP-UX
Client Services, provide support for Account Management services. These services allow the
administrator to control who can login to the system based on netgroup information found in
the /etc/passwd and /etc/netgroup files. PAM and PAM_AUTHZ can also be configured
to utilize LDAP-UX Client Services to retrieve the information from a LDAP directory server to
perform access of authorization.
Starting LDAP-UX Client Services B.04.00, PAM_AUTHZ has been enhanced to provide
administrators a simple security configuration file to set up a local access policy to better meet
their need in the organization. PAM_AUTHZ uses the access policy to determine which users
are allowed to login to the system. A policy specifies which groups, ldap groups, users or other
access control objects (such as objects defined by ldap search filters) are allowed to login to the
system. This flexibility enables you to allow or deny access to a host or application based on a
user's membership in a group, or role within a organization. For example, PAM and PAM_AUTHZ
can define an access rule that utilizes a LDAP directory server to state that if 'userA' works for
manager 'Sam' then the criteria is met. When the rule is evaluated, a request would be sent to
the LDAP directory and if the attributes were found, the user could be granted or denied access.
Policy And Access Rules
Access rules are the basic elements of access control. Administrators create access rules that
restrict or permit a user's access permission. A policy is the collection of these different sets of
access rules in a given order. This consolidated list of rules defines the overall access strategy of
a local client machine. PAM_AUTHZ enables administrators to create an access policy by defining
different types of access rules and to save the policy in a file.
How Login Authorization Works
The system administrator can define the access rules and store them in the policy file,
/etc/opt/ldapux/pam_authz.policy. PAM_AUTHZ uses these access rules defined in
the policy file to control the login authorization.
98 Administering LDAP-UX Client Services