LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

141

142

143

144

145

146

147

148

149

150

Figure 5-1 PAM_AUTHZ environment

pam enabled

application

policy

configuration

file

pam_authz

/etc/group LDAP

directory

server

/etc/netgroup

authentication

modules, for

examples:

pam_kerberos

pam_ldap

ldap_ux

client daemon

ldapclientd

The following describes the policy validation processed by PAM_AUTHZ for the user login

authorization shown in “PAM_AUTHZ environment” (page 141):

PAM_AUTHZ environment

1. The administrator defines access rules and saves them in a local access policy configuration

file.

2. PAM_AUTHZ service module receives an authorization request from PAM framework. It

processes all the access rules stored in the access policy configuration file.

3. If a rule indicates that the required information is stored in a LDAP server, PAM_AUTHZ

constructs a request message and sends to the LDAP client daemon, ldapclientd. The LDAP

client daemon performs the actual LDAP query and returns the result to PAM_AUTHZ. Then

the access rule is evaluated and the final access right is returned.

4. If a rule indicates that the required information is in the UNIX files. PAM_AUTHZ retrieves

user's information from /etc/passwd, /etc/group or /etc/netgroup file through

getpwname() or getgrname() system calls. Then the rule is evaluated and the final access

right is returned.

5. PAM_AUTHZ returns the corresponding pam result to PAM framework. The decision is

returned to the application which called the PAM API.

6. If the user has the permission to log in, then the decision is returned to the next PAM service

module that is configured in the pam.conf file, such as PAM_LDAP or PAM_KERBEROS. If

the access rule passed but is assigned the required action type, then PAM_AUTHZ continues

and evaluates the next access policy rule. If the access rule failed and is assigned the required

action, or if processing reaches the end of the rules (after they all failed), then login is denied.

7. The PAM service module returns the authentication result to the application which called the

PAM API.

5.3 PAM_AUTHZ login authorization 141