LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

151

152

153

154

155

156

157

158

159

160

NOTE: Beginning with version 5.0 of the product, LDAP-UX Client

Services supports integrated compat mode to control which users are

visible on a host, where the user accounts are referenced by netgroups

specified in the /etc/passwd file. For more information, see “Enabling

integrated Compat Mode to control name services and user logins”

(page 104)

ldap_group This option specifies that an access rule is based on the non-POSIXGroup

membership. PAM_AUTHZ supports LDAP group with groupOfNames

or groupOfUniqueNamesobjectclass. A list of ldap_group names is

specified in the <object> field. The group membership information is

stored in the LDAP directory server. An example of a ldap_group type

of access rule is as follows:

deny:ldap_group:engineering_ldapgroup,support_ldapgroup,epartner_ldapgroup

PAM_AUTHZ retrieves group membership of each listed group from

the directory server through LDAP-UX client services. Then, it examines

if the user's distinguished name (DN) matches any value in the member

or uniquemember attribute.

5.3.9 Dynamic variable access rule

PAM_AUTHZ supports dynamic variables in the ldap_filter type of the access rule. A

dynamic variable is defined in <object> (LDAP search filter) field, it can consist of one or more

(attribute=$[variable_name]) pairs. The syntax of an access rule with the dynamic variable is:

<action>:ldap_filter:(attribute=$[variable_name])

For example, if an administrator has an attribute named hostControl defined in the directory,

and wants to use this attribute to define which host a user can log on to. He may add the following

access rule in the access policy file:

allow:ldap_filter:(hostControl= hostA)

Where hostA is the value for the local host that the user must be granted access. If a user, John,

has a hostControl attribute in his user entry in the LDAP directory and the value is hostA,

then the access rule is evaluated to be true and this user is allowed to log in to the host, hostA.

In the above example, a dynamic variable HOSTNAME can be used. The previous access rule can

be re-defined as follows:

allow: ldap_filter: (hostControl=$[HOSTNAME])

where $[HOSTNAME] represents a dynamic variable function which will be called to retrieve

the local host name information. PAM_AUTHZ will then substitute its return value to the search

filter.

5.3.9.1 Supported functions for dynamic variables

In LDAP-UX Client Services, PAM_AUTHZ provides the following default dynamic variable

functions in the libpolicy_commonauthz library. These functions can be used as dynamic

variables specified in the ldap_filter type of access rules::

HOSTNAME Returns the host name of the local system from which the user attempts to

log on. For example, hostA.

HOSTNAMEWD Returns the fully qualified host name of the local system from which the

user attempts to log on. For example, hostA.hp.com.

HOSTIP Returns the IP address of the local system from which the user attempts to

log on. For example, 12.10.2.105.

5.3 PAM_AUTHZ login authorization 151