LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
PAM_AUTHZ Environment
1. The administrator defines access rules and saves them in a local access policy configuration
file.
2. PAM_AUTHZ service module receives an authorization request from PAM framework. It processes
all the access rules stored in the access policy configuration file.
3. If a rule indicates that the required information is stored in a LDAP server, PAM_AUTHZ constructs
a request message and sends to the LDAP client daemon, ldapclientd. The LDAP client daemon
performs the actual LDAP query and returns the result to PAM_AUTHZ. Then the access rule is
evaluated and the final access right is returned.
4. If a rule indicates that the required information is in the UNIX files, PAM_AUTHZ retrieves user's
information from /etc/passwd, /etc/group or /etc/netgroup file through getpwname()
or getgrname() system calls. Then the rule is evaluated and the final access right is returned.
5. PAM_AUTHZ returns the corresponding pam result to PAM framework. The decision is returned
to the application that called the PAM API.
6. If the user has the permission to log in, then the decision is returned to the next PAM service
module that is configured in the pam.conf file, such as PAM_LDAP or PAM_KERBEROS. If the
access rule passed but is assigned the required action type, then PAM_AUTHZ continues and
evaluates the next access policy rule. If the access rule failed and is assigned the required action,
or if processing reaches the end of the rules (after they all failed), then login is denied.
7. The PAM service module returns the authentication result to the application that called the PAM
API.
6.4.3 PAM_AUTHZ supports security policy enforcement
PAM_AUTHZ supports enforcement of account and password policies, stored in a directory server.
This feature works with SSH (Secure Shell), r-commands with rhost enabled where authentication
is not performed via PAM (Pluggable Authentication Module) subsystem, but is performed by the
command itself.
For more information on how to configure access rules in the access policy configuration file, set
global policy access permissions, and configure the pam.conf file for security policy enforcement
when using SSH key-pairs or r-commands, see Section 6.4.10 (page 108).
6.4.3.1 Authentication using PAM
The PAM framework is pluggable, the backend support for PAM's authentication, account
management, session management, and password management services can be directed to
alternate repositories, such as a directory server or Kerberos key distribution center. When the
authentication functions are invoked, the UNIX identity is translated into an ID that represents that
user in the backend repository (such as a distinguished name in a directory server or a principal
in a Kerberos KDC). If the backend authentication operation succeeds, then the PAM backend
authentication function will return success to the PAM authentication subsystem.
With LDAP (PAM_LDAP) or Kerberos (PAM_KERBEROS), when authentication occurs, not only is
the user authenticated, but security policy checks also occur. If the account is locked or a password
has expired, the directory server or KDC will return an error to the PAM authentication subsystem.
However, the design of PAM is such that authentication and policy enforcement are handled by
two different functions, authentication and account management functions, respectively.
However, in some cases, services such as ssh and rlogin can authenticate users without calling
the PAM authentication function. But those services may call still call the PAM account management
function to determine if the account is disabled or if a password has expired. In this case, backend
PAM modules such as PAM_LDAP and PAM_KERBEROS may not be able to perform security policy
checks, since that check is done in the authentication function. You can use PAM_AUTHZ to
supplement security policy checks that are not performed by PAM_LDAP or PAM_KERBEROS, if
the security policy information can be found in the directory server.
100 Administering LDAP-UX Client Services