LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
For example, if the PAM_AUTHZ policy rule indicates that an account has been
locked out or a password has expired, PAM_AUTHZ can return an appropriate PAM
error code instead of a general deny error code.
<status>
Use of the status rule only applies when the action is to call a library function. In
this case, the status rule is always evaluated and always returns a code to the
PAM subsystem. Therefore, the status rule should always be the last and only
status rule in your policy file.
<type> The value in this field represents the type of access rule. It defines what kinds of user
information that PAM_AUTHZ needs to look for. The value also helps to determine
the correct syntax in the following <object> field.
The following describes the valid values for this field:
unix_user, unix_local_user, unix_group, netgroup, ldap_group
Rules that have one of these specified as the <type> field are defining a static list
access rule. For this rule, the <object> field is specified as a predefined list of
identifiers. The identifiers are matched directly with data in the login request. This
<type> field specifies where PAM_AUTHZ will look to determine if the login field is
present in the appropriate data store, such as /etc/passwd, /etc/group, etc.
If the login field is found, the rule is evaluated to be true. The final access right is
determined by the <action> field. See Section 6.4.8 (page 106) for details.
passwd_compat
Control the access permission using NIS-style escapes in /etc/passwd. This is
identical to the default behavior of PAM_AUTHZ when there is no access policy file
present. The passwd_compat type supports only status or required in the
action field, and anything specified in the <object> field is ignored.
NOTE: Use of netgroups, which are used by passwd_compat, is not supported
in ADS. References here are for information only.
other
PAM_AUTHZ ignores any access rules defined in the <object> field. The access
rule is evaluated to be true immediately. For example,
allow:other
In the above example, all users are granted the login access to the machine. The
primary usage of this type of rule is to toggle PAM_AUTHZ default <action>.
ldap_filter
In a role based access management, permission to access a resource can be
controlled based on the user's role such as sales force, technical support or subscriber
status and are typically defined by common business attributes of users based on
company policies. The same concept is applied to the ldap_filter access rule.
A search filter is defined in <object> field. A search filter consists of one or more
(attribute=value) pairs. If the user entry is successfully retrieved from a directory
server by using the search filter, the access rule is considered to be true. Examples
of ldap_filter type of access rule are as follows:
allow:ldap_filter:(&(manager=paulw)(business
category=marketing))
In the above example, if a user reports to paulw and the user's job is related to
marketing, then the user is granted the login access. The rule structure is very
flexible about how to define access for certain groups of users.
6.4 PAM_AUTHZ login authorization 105