LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
of each listed group by querying the name services specified in
nsswitch.conf. That means the group entries may come from any
sources (files, nis, ldap, etc). If the login user belongs to any groups in
the list, the access rule is evaluated to be true. Otherwise, the rule is
skipped. An example of a unix_group access rule is shown as follows:
deny:unix_group:myunixgroup10,myunixgroup11,myunixgroup12
A user tries to log in and he is a member of myunixgroup12. The rule
is evaluated to be true and the <action> is applied. The user is restricted
from access to the machine even with a valid password.
netgroup This option specifies that the access permission is determined by the user's
netgroup membership. You must specify a list of netgroup name in the
<object> field. If the user is a member of one of the netgroups specified
in the netgroup list, then the access rule is evaluated to be true.
PAM_AUTH obtains the netgroup information by querying the name
services specified in nsswitch.conf. For example:
allow:netgroup:netgroup1,netgroup2,netgroup3
A user tries to log in and he belongs to netgroup1. The above access
rule is evaluated to be true. The user is granted login access.
NOTE: Use of netgroups, which are used by passwd_compat, is not
supported in Windows ADS. References here are for information only.
ldap_group This option specifies that an access rule is based on the non-POSIXGroup
membership. PAM_AUTHZ supports ldap group with groupOfNames or
groupOfUniqueNamesobjectclass. A list of ldap_group names is
specified in the <object> field. The group membership information is
stored in the directory server. An example of a ldap_group type of
access rule is as follows:
deny:ldap_group:engineering_ldapgroup,support_ldapgroup,epartner_ldapgroup
PAM_AUTHZ retrieves group membership of each listed group from the
directory server through LDAP-UX client services. Then, it examines if the
user's Distinguished Name (DN) matches any value in the member or
uniquemember attribute.
6.4.9 Dynamic variable access rule
PAM_AUTHZ supports dynamic variables in the ldap_filter type of the access rule. A dynamic
variable is defined in <object> (LDAP search filter) field, it can consist of one or more
(attribute=$[variable_name]) pairs. The syntax of an access rule with the dynamic variable is:
<action>:ldap_filter:(attribute=$[variable_name])
For example, if an administrator has an attribute named hostControl defined in the directory,
and wants to use this attribute to define which host a user can log on to. He may add the following
access rule in the access policy file:
allow:ldap_filter:(hostControl= hostA)
Where hostA is the value for the local host that the user must be granted access. If a user, John,
has a hostControl attribute in his user entry in the directory server and the value is hostA, then
the access rule is evaluated to be true and this user is allowed to log in to the host, hostA.
In the above example, a dynamic variable HOSTNAME can be used. The previous access rule can
be re-defined as follows:
allow: ldap_filter: (hostControl=$[HOSTNAME])
6.4 PAM_AUTHZ login authorization 107