Manualshelf

LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
919293949596979899100
The PAM framework, together with the PAM_AUTHZ service module supplied with LDAP-UX Client
Services, provide support for Account Management services. ( The PAM_AUTHZ functionality
is provided by the PAM_AUTHZ library.) These services allow the administrator to control who can
log in to the system based on netgroup information found in the /etc/passwd and /etc/
netgroup files. PAM and PAM_AUTHZ can also be configured to utilize LDAP-UX Client Services
to retrieve the information from a directory server to perform access of authorization.
Starting with LDAP-UX Client Services B.04.00, PAM_AUTHZ has been enhanced to provide
administrators a simple security configuration file to set up a local access policy to better meet
their need in the organization. PAM_AUTHZ uses the access policy to determine which users are
allowed to log in to the system. A policy specifies which groups, ldap groups, users or other access
control objects (such as objects defined by LDAP search filters) are allowed to log in to the system.
This flexibility enables you to allow or deny access to a host or application based on a user's
membership in a group, or role within a organization. For example, PAM and PAM_AUTHZ can
define an access rule that utilizes a directory server to state that if 'userA' works for manager
'Sam' then the criteria is met. When the rule is evaluated, a request would be sent to the directory
server and if the attributes were found, the user could be granted or denied access.
NOTE: For information about other means for controlling access to the system, see Section 2.5.4
(page 60).
6.4.1 Policy and access rules
Access rules are the basic elements of access control. Administrators create access rules that restrict
or permit a user's access permission. A policy is the collection of these different sets of access rules
in a given order. This consolidated list of rules defines the overall access strategy of a local client
machine. PAM_AUTHZ enables administrators to create an access policy by defining different
types of access rules and to save the policy in a file.
6.4.2 How login authorization works
The system administrator can define the access rules and store them in an access policy file.
PAM_AUTHZ uses these access rules defined in the policy file to control the login authorization.
Figure 9 PAM_AUTHZ environment
pam enabled
application
policy
configuration
file
pam_authz
/etc/group LDAP
directory
server
7
5
6
2
1
3
4
/etc/netgroup
authentication
modules, for
examples:
pam_kerberos
pam_ldap
ldap_ux
client daemon
ldapclientd
The following describes the PAM_AUTHZ policy validation process for the user login authorization
shown in Figure 9:
6.4 PAM_AUTHZ login authorization 99