LDAP-UX Client Services B.05.00 Administrator's Guide
5.3.7 Constructing an access rule in the access policy file
In the access policy file, an access rule consists of three fields as follows:
<action>:<type>:<object>
All fields are mandatory except for the <object> field when passwd_compat,
unix_local_user, or Other is specified in the <type> field. If any field is missing or contains
the incorrect syntax, the access rule is considered to be invalid and is ignored by PAM_AUTHZ.
These fields have the following limitations:
• No leading or trailing empty space is allowed in a field
• Fields are separated by a separator, :
• No leading or trailing empty space is allowed in a separator
• An access rule is terminated by a carriage return
5.3.7.1 Fields in an access rule
Table 5-1 shows a summary on all possible values and syntax of an access rule:
Table 5-1 Field syntax in an access rule
<object><type><action>
A list of user name. It can be the multi-valued field. Each
value is a character string that is separated by a separator
"," (ASCII 2C HEX).
Example:
user1, user2, user3
unix_userdeny, allow,required,
<pam_code>
No value is required.
unix_local_userdeny, allow, required,
<pam_code>
A list of group name. It can be the multi-valued field.
Each value is a character string that is separated by a
separator "," (ASCII 2C HEX).
Example:
group1, group2, group3
unix_groupdeny, allow, required,
<pam_code>
No value is required.
passwd_compatrequired, <pam_code>
A list of netgroup name. It can be the multi-valued field.
Each value is a character string that is separated by a
separator ","(ASCII 2C HEX).
Example:
netgroup1, netgroup2, netgroup3
netgroupdeny, allow, required,
<pam_code>
It is the Distinguished name of an LDAP group with
groupofnames objectclass or groupofuniquenames
objectclass. It is a single-valued field. No separator is
required. The syntax of DN is defined in RFC2253.
Example:
cn=ldapgroup1,cn=groups,dc=mydomain,dc=com
ldap_groupdeny, allow, required,
<pam_code>
It is a single search descriptor that specifies one or more
(attribute=value) or (attribute=$[variable_name]) pairs.
$[variable_name] is a dynamic variable. It is a single
value field. Only one search filter is allowed. No
separator is required. The syntax of DN is defined in
RFC2254.
Example:
(&(manager=Joeh)(department=sales)(hostcontrol=$[HOSTNAME]))
ldap_filterdeny, allow, required,
<pam_code>
146 Administering LDAP-UX Client Services