LDAP-UX Client Services B.04.15 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

101

102

103

104

105

106

107

108

109

110

ldap_group This option specifies that an access rule is based on the non-POSIXGroup

membership. PAM_AUTHZ supports ldap group with groupOfNames

or groupOfUniqueNamesobjectclass. A list of ldap_group names is

specified in the <object> field. The group membership information is

stored in the LDAP directory server. An example of a ldap_group type

of access rule is as follows:

deny:ldap_group:engineering_ldapgroup,support_ldapgroup,epartner_ldapgroup

PAM_AUTHZ retrieves group membership of each listed group from

the directory server through LDAP-UX client services. Then, it examines

if the user's Distinguished Name (DN) matches any value in the member

or uniquemember attribute.

5.3.9 Dynamic Variable Access Rule

PAM_AUTHZ supports dynamic variables in the ldap_filter type of the access rule. A dynamic

variable is defined in <object> (LDAP search filter) field, it can consist of one or more

(attribute=$[variable_name]) pairs. The syntax of an access rule with the dynamic variable is:

<action>:ldap_filter:(attribute=$[variable_name])

For example, if an administrator has an attribute named hostControl defined in the directory,

and wants to use this attribute to define which host a user can log on to. He may add the following

access rule in the /etc/opt/ldapux/pam_authz.policy file:

allow:ldap_filter:(hostControl= hostA)

Where hostA is the value for the local host that the user must be granted access. If a user, John,

has a hostControl attribute in his user entry in the LDAP directory and the value is hostA,

then the access rule is evaluated to be true and this user is allowed to log in to the host, hostA.

In the above example, a dynamic variable HOSTNAME can be used. The previous access rule can

be re-defined as follows:

allow: ldap_filter: (hostControl=$[HOSTNAME])

where $[HOSTNAME] represents a dynamic variable function which will be called to retrieve

the local host name information. PAM_AUTHZ will then substitute its return value to the search

filter.

5.3.9.1 Supported Functions for Dynamic Variables

In LDAP-UX Client Services B.04.10, PAM_AUTHZ provides the following default dynamic

variable functions in the libpolicy_commonauthz library. These functions can be used as

dynamic variables specified in the ldap_filter type of access rules::

HOSTNAME Returns the fully qualified host name of the local system from which the

user attempts to log on. For example, hostA.hp.com.

HOSTIP Returns the IP address of the local system from which the user attempts to

log on. For example, 12.10.2.105.

TERMINAL Returns the terminal type of the computer from which the user attempts to

log on. For example, /dev/pts/0.

Some applications (such as ssh or remsh) do not pass the terminal dynamic

variable value to PAM_AUTHZ.

TIMEOFTHEDAY Returns the current time of the computer system from which the user attempts

to log on. For example, 20061015125535Z represents October 15, 2006 at 12:55

and 35 seconds GMT. TIMEOFTHEDAY follows the “UTC Time” syntax as

described by RFC4517.

SERVICE Returns the name of the PAM service from which the user attempts to access.

For example, common PAM service names include ftp, login, telnet.

5.3 PAM_AUTHZ Login Authorization 103