LDAP-UX Client Services B.05.00 Administrator's Guide
5.3 PAM_AUTHZ login authorization
The Pluggable Authentication Module (PAM) is an industry standard authentication framework
that is supplied as an integrated part of the HP-UX system. PAM gives system administrators
the flexibility of choosing any authentication service available on the system to perform
authentication. The PAM framework also allows new authentication service modules to be
plugged in and made available without modifying the PAM enabled applications. The library
/usr/lib/security/libpam_authz.so.1 (and architecture-dependent library paths)
provides the access control functionality described in this section. You can add it to your existing
/etc/pam.conf as shown in “Policy file”.
This section assumes you have some knowledge of how to configure PAM libraries in the /etc/
pam.conf file. For more information about configuring PAM libraries, see the HP-UX System
Administrator's Guide: Security Management, available at the following location:
www.hp.com/go/hpux-core-docs (click HP-UX 11i v3)
The PAM framework, together with the PAM_AUTHZ service module (which is defined in the
PAM_AUTHZ library known as libpam_authz) supplied with LDAP-UX Client Services,
provide support for Account Management services. These services allow the administrator to
control who can log in to the system based on netgroup information found in the /etc/passwd
and /etc/netgroup files. PAM and PAM_AUTHZ can also be configured to utilize LDAP-UX
Client Services to retrieve the information from a LDAP directory server to perform access of
authorization.
NOTE: Beginning with version 5.0 of the product, LDAP-UX Client Services supports integrated
compat mode to control which users are visible on a host; user accounts are referenced by
netgroups specified in the /etc/passwd file. For more information, see “Enabling integrated
Compat Mode to control name services and user logins” (page 104)
Starting with LDAP-UX Client Services B.04.00, PAM_AUTHZ has been enhanced to provide
administrators a simple security configuration file to set up a local access policy to better meet
their need in the organization. PAM_AUTHZ uses the access policy to determine which users
are allowed to log in to the system. A policy specifies which groups, LDAP groups, users or other
access control objects (such as objects defined by LDAP search filters) are allowed to log in to
the system. This flexibility enables you to allow or deny access to a host or application based on
a user's membership in a group, or role within a organization. For example, PAM and
PAM_AUTHZ can define an access rule that utilizes a LDAP directory server to state that if
'userA' works for manager 'Sam' then the criteria is met. When the rule is evaluated, a request
would be sent to the LDAP directory and if the attributes were found, the user could be granted
or denied access.
NOTE: For information about other means for controlling access to the system, see Section 2.5.6
(page 106).
5.3.1 Policy and access rules
Access rules are the basic elements of access control. Administrators create access rules that
restrict or permit a user's access permission. A policy is the collection of these different sets of
access rules in a given order. This consolidated list of rules defines the overall access strategy of
a local client machine. PAM_AUTHZ enables administrators to create an access policy by defining
different types of access rules and to save the policy in a file.
5.3.2 How login authorization works
The system administrator can define the access rules and store them in an access policy file.
PAM_AUTHZ uses these access rules defined in the policy file to control the login authorization.
140 Administering LDAP-UX Client Services