LDAP-UX Client Services B.05.00 Administrator's Guide
5.3.5 Policy validator
PAM_AUTHZ works as a policy validator. Once it receives a PAM request, it starts to process
the access rules defined in pam_authz.policy. It validates and determines the user's login
authorization based on the user's login name and the information it retrieves from various name
services. The result is then returned to the PAM framework.
PAM_AUTHZ processes access rules in the order they are defined in the access policy file. It
stops processing the access rules when any one of the access rules is evaluated to be true (match).
That rule is called the "authoritative" rule. If any access rule is evaluated to be false (no match),
the rule is skipped. If any access rule is evaluated to be true (match) but has the action required
assigned to it, then access rule processing continues with the next rule. An access rule that has
the action required assigned to it that evaluates to false (no match) will cause processing to
end and the user is restricted from login. If all access rules in the policy file have been evaluated
but the user's access right cannot be determined, the user is restricted from login.
NOTE:
• If the user's login name is root or UID is 0, PAM_AUTHZ does not process the access rules
defined in the access policy file. The root user is always granted login access.
• The default <action> of PAM_AUTHZ is deny if no authoritative rule is found.
The following describes situations where PAM_AUTHZ skips an access rule and does not process
it:
• An access rule contains the wrong syntax.
• PAM_AUTHZ processes the ldap_filter and ldap_group types of access rules by
querying the LDAP directory server through ldapclientd daemon. If LDAP-UX Client
Services is not running, PAM_AUTHZ skips all the ldap_filter and ldap_group types
of rules.
5.3.5.1 An example of access rule evaluation
The following shows an example of an access policy file:
allow:unix_user:user1,user2,user3,user4
required:ldap_filter:(status=active)
allow:unix_group:group1,group2
deny:unix_group:group11,group12
allow:netgroup:netgroup1,netgroup2
allow::ldap_group:ldapgroup1,ldapgroup2
allow:ldap_filter:(&(manager=Joeh) (department=marketing)(hostname=$[HOSTNAME]))
PAM_AUTHZ processes access rules in the order they are defined in the access policy file. It
stops evaluating the access rules when any one of the access rule is matched, unless that rule has
the action required assigned. In the preceding example, if the user2 user attempts to log in,
it matches one of the user names in the first access rule, PAM_AUTHZ stops evaluating the rest
of the access rules and allows the user2 user to log in. For another example, user5 attempts to
log in and this user is only a member of ldapgroup2. PAM_AUTHZ validates user5's login
access and when the fifth access rule is evaluated to be true, user5 is granted the login access.
Now assume that the user6 user has the attribute status set to active, reports to Joeh, the
user's job is related to marketing and has a hostname attribute with the returned value HostSrv
in his/her user entry in the LDAP directory. PAM_AUTHZ starts to validate user6's login access
by evaluating all the access rules defined in the access policy file. The second rule is evaluated
to be true, but since the action assigned to this rule is required, processing continues with the
next rule. The sixth access rule is evaluated to be true, and the user6 is allowed to log in to the
host, HostSrv.
144 Administering LDAP-UX Client Services