LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
where $[HOSTNAME] represents a dynamic variable function which will be called to retrieve the
local host name information. PAM_AUTHZ will then substitute its return value to the search filter.
6.4.9.1 Supported functions for dynamic variables
In LDAP-UX Client Services B.04.10 and later, PAM_AUTHZ provides the following default dynamic
variable functions in the libpolicy_commonauthz library. These functions can be used as
dynamic variables specified in the ldap_filter type of access rules::
HOSTNAME Returns the host name of the local system from which the user attempts to log
on. For example, hostA.
HOSTNAMEWD Returns the fully qualified host name of the local system from which the user
attempts to log on. For example, hostA.hp.com.
HOSTIP Returns the IP address of the local system from which the user attempts to log
on. For example, 12.10.2.105.
TERMINAL Returns the terminal type of the computer from which the user attempts to log
on. For example, /dev/pts/0.
Some applications (such as ssh or remsh) do not pass the terminal dynamic
variable value to PAM_AUTHZ.
TIMEOFTHEDAY Returns the current time of the computer system from which the user attempts
to log on. For example, 20061015125535Z represents October 15, 2006
at 12:55 and 35 seconds GMT. TIMEOFTHEDAY follows the “UTC Time”
syntax as described by RFC4517.
SERVICE Returns the name of the PAM service from which the user attempts to access.
For example, common PAM service names include ftp, login, telnet.
RHOSTIP Returns the IP address of the remote host system from which the user starts the
PAM enabled application, such as telnet.
RHOSTNAME Returns the name of the remote host system from which the user starts the PAM
enabled application, such as telnet.
RHOSTNAMEWD Returns the name of the fully qualified remote host system from which the user
starts the PAM enabled application, such as telnet.
6.4.9.2 Examples
The following shows a sample access rule in the access policy file:
allow:ldap_filter:(WorkstationIP=$[HOSTIP])
The above policy rule performs a security policy validation for users stored in the directory server.
If a user, Mary, has a WorkstationIP attribute in her user entry in the LDAP directory server
directory and the value is 1.2.3.200. If Mary attempts to log in to the host with the IP address,
1.2.3.200, then the access rule is evaluated to be true and this user is granted login access.
6.4.10 Security policy enforcement with Secure Shell (SSH) or r-commands
PAM_AUTHZ has a limited ability to perform account and password security policy enforcement
without requiring LDAP-based authentication. This section provides information on how to configure
the security policy enforcement access rule, setup access permissions for global policy attributes
and configure PAM configuration file to support enforcement of account and password policies,
stored in a directory server, for applications such as SSH key-pair and r-commands with rhost
enabled.
This feature is designed to support applications such as SSH (Secure Shell) and the r-commands
(rlogin, rcp, etc..) with .rhost enabled. With these applications, authentication is not performed
via PAM (Pluggable Authentication Module) subsystem, but is performed by the command itself.
In these applications, when authentication is not performed by PAM, the directory server is not
108 Administering LDAP-UX Client Services