LDAP-UX Client Services B.04.15 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

101

102

103

104

105

106

107

108

109

110

5.3.8 Static List Access Rule

When the value in the <type> field is one of unix_user, unix_group, netgroup,

ldap_group, the rule is evaluated using a list of predefined values in the <object> field. Based

on the value in the <type> field, pam_authz will call the appropriate service to determine if the

item requested is present. If the requested information is found then the rule is evaluated to be

true.

The following describes these values for this field in details:

unix_user This option indicates that an administrator wants to control the login

access by examining a user's login name with a list of predefined users.

If the login name matches one of the user names in the list, the

authorization statement is evaluated to be true. The final access right is

determined by evaluating the <action> field. An example of a

unix_user type of access rule is as follows:

allow:unix_user:myuser1,myuser2,myuser3

If a myuser3 user attempts to login, the above access rule is evaluated

to be true and the user is granted login access.

unix_local_user This option indicates that an administrator wants to control the login

access by examining a local user's login name with a list of user's

accounts in the /etc/passwd file. If the login name matches one of the

user accounts defined in /etc/passwd, the authorization statement is

evaluated to be true. Otherwise, the rule is skipped. An example of a

unix_local_user type of access rule is as follows:

allow:unix_local_user

As an example, if a user account, myuser5, is defined in /etc/

password, the above access rule is evaluated to be true and this user

myuser5 is granted to login to the local host.

unix_group This option specifies that an administrator wants to control the login

access right using the user's group membership. You can specify a list

of group name in the <object> field. PAM_AUTH retrieves the group

information of each listed group by querying the name services specified

in nsswitch.conf. That means the group entries may come from any

sources (files, nis, ldap, etc). If the login user belongs to any groups in

the list, the access rule is evaluated to be true. Otherwise, the rule is

skipped. An example of a unix_group access rule is shown as follows:

deny:unix_group:myunixgroup10,myunixgroup11,myunixgroup12

A user tries to login and he is a member of myunixgroup12. The rule

is evaluated to be true and the <action> is applied. The user is

restricted from access to the machine even with a valid password.

netgroup This option specifies that the access permission is determined by the

user's netgroup membership. You must specify a list of netgroup name

in the <object> field. If the user is a member of one of the netgroups

specified in the netgroup list, then the access rule is evaluated to be true.

PAM_AUTH obtains the netgroup information by querying the name

services specified in nsswitch.conf. For example:

allow:netgroup:netgroup1,netgroup2,netgroup3

A user tries to login and he belongs to netgroup1. The above access

rule is evaluated to be true. The user is granted login access.

102 Administering LDAP-UX Client Services