LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
PAM_ACCT_EXPIRED:ldap_filter:(nsAccountLock=TRUE)
In the above example, if a user account has been locked out and this access rule is
evaluated to be true, the PAM_ACCT_EXPIRED code is returned by PAM_AUTHZ.
In LDAP-UX Client Services B.04.10 or later, PAM_AUTHZ supports dynamic variable
in the ldap_filter type of the access rule. A search filter can consist of one or more
(attribute=$[function_name]) pairs and is defined in the <object> field.
The [function_name] is called and the return value is substituted into the search
filter. Then the search filter is processed the same as the example above. For detailed
information about dynamic variable support, see Section 6.4.9 (page 107).
<library_name>
When status is specified as the <action> field, this defines a rule that is evaluated
to perform account and password policy enforcement. This access rule defines a
library, in the <library_name> field (for the Windows domains, the
<library_name> is ads) to be loaded, and a function in the <function_name>
field that specifies a function to be invoked to perform policy evaluation for a
particular directory server. See Section 6.4.10.1 (page 109) for detailed information
on the supported values and usage of this access rule.
<object> The values in this field define the policy criteria that PAM_AUTHZ uses to validate
with the login name. The values in this field are dependent on the option that is
stated in the <type> field.
6.4.8 Static list access rule
When the value in the <type> field is one of unix_user, unix_group, netgroup,
ldap_group, the rule is evaluated using a list of predefined values in the <object> field. Based
on the value in the <type> field, PAM_AUTHZ will call the appropriate service to determine if the
item requested is present. If the requested information is found then the rule is evaluated to be true.
The following describes these values for this field in details:
unix_user This option indicates that an administrator wants to control the login access
by examining a user's login name with a list of predefined users. If the
login name matches one of the user names in the list, the authorization
statement is evaluated to be true. The final access right is determined by
evaluating the <action> field. An example of a unix_user type of
access rule is as follows:
allow:unix_user:myuser1,myuser2,myuser3
If a myuser3 user attempts to log in, the above access rule is evaluated
to be true and the user is granted login access.
unix_local_user This option indicates that an administrator wants to control the login access
by examining a local user's login name with a list of user's accounts in
the /etc/passwd file. If the login name matches one of the user accounts
defined in /etc/passwd, the authorization statement is evaluated to be
true. Otherwise, the rule is skipped. An example of a unix_local_user
type of access rule is as follows:
allow:unix_local_user
As an example, if a user account, myuser5, is defined in /etc/
password, the above access rule is evaluated to be true and this user
myuser5 is granted to log in to the local host.
unix_group This option specifies that an administrator wants to control the login access
right using the user's group membership. You can specify a list of group
name in the <object> field. PAM_AUTH retrieves the group information
106 Administering LDAP-UX Client Services