LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

141

142

143

144

145

146

147

148

149

150

Table 5-1 Field syntax in an access rule (continued)

No value is required.

otherdeny, allow, required,

<pam_code>

<function_name>

Specifies the function name in <library_name> that

is called to evaluate certain policy settings of the login

user.

Example:

status:rhds:check_ads_polcy

See the “Account and Password Security Policy

Enforcement “ section for details.

<library_name>

The valid value for

this field can be rhds

or ads.

status

The following describes three fields defined in an access rule in details:

<action> This field defines a user's final access permission if an access rule is evaluated to

be true. Valid entries can be allow, deny, required, and PAM return codes.

Allow, deny, and required are character strings and the value itself is not case

sensitive. In additional to the general return codes, allow and deny, LDAP-UX

Client Services B.04.10 or later PAM_AUTHZ supports the meaningful PAM return

codes to the application which called the PAM API. PAM_AUTHZ does not

evaluate an access rule if no option is defined or if the action field contains an

invalid string.

<action> field can be one of following values:

allow

This option indicates that a user is granted the login authorization.

deny

This option indicates that a user is denied the login authorization.

required

This option indicates that a user is denied the login authorization if the rule

evaluates to false, or that processing should continue to the next rule if the rule

evaluates to true.

<pam_code>

One of the following meaningful PAM return codes can be specified in the

<action> field, the PAM return codes are character strings:

• PAM_SUCCESS

• PAM_PERM_DENIED

• PAM_MAXTRIES

• PAM_AUTH_ERR

• PAM_NEW_AUTHTOK_REQD

• PAM_AUTHTOKEN_REQD

• PAM_CRED_INSUFFICIENT

• PAM_AUTHINFO_UNAVAIL

• PAM_USER_UNKNOWN

• PAM_ACCT_EXPIRED

• PAM_AUTHTOK_EXPIRED

For example, if the PAM_AUTHZ policy rule indicates that an account has been

locked out or a password has expired, PAM_AUTHZ can return an appropriate

PAM error code instead of a general deny error code.

5.3 PAM_AUTHZ login authorization 147