Manualshelf

LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
191192193194195196197198199200
The PAM framework, together with the PAM_AUTHZ service module (which is defined in the
PAM_AUTHZ library known as libpam_authz) supplied with LDAP-UX Client Services, provide
support for account management services. These services enable the administrator to control who
can log in to the system based on netgroup information found in the /etc/passwd and /etc/
netgroup files. PAM and PAM_AUTHZ can also be configured to utilize LDAP-UX Client Services
to retrieve the information from a LDAP directory server to perform access of authorization.
NOTE: Beginning with version 5.0, LDAP-UX Client Services supports integrated Compat Mode
to control which users are visible on a host; user accounts are referenced by netgroups specified
in the /etc/passwd file. For more information, see Section 2.5.5 (page 102). This feature is not
supported when using LDAP-UX Client Services with Windows ADS.
Starting with LDAP-UX Client Services B.04.00, PAM_AUTHZ has been enhanced to provide
administrators a simple security configuration file to set up a local access policy to better meet
their need in the organization. PAM_AUTHZ uses the access policy to determine which users are
allowed to log in to the system. A policy specifies which groups, LDAP groups, users or other access
control objects (such as objects defined by LDAP search filters) are allowed to log in to the system.
This flexibility enables you to allow or deny access to a host or application based on a user's
membership in a group, or role within a organization. For example, PAM and PAM_AUTHZ can
define an access rule that utilizes a LDAP directory server to state that if userA works for manager
Sam then the criteria is met. When the rule is evaluated, a request would be sent to the LDAP
directory and if the attributes were found, the user could be granted or denied access.
NOTE: For information about other means for controlling access to the system, see Section 2.5.6
(page 104) (for HP directory server environments) and Section 3.5.4 (page 157) (for Windows ADS
environments).
7.4.1 Policy and access rules
Access rules are the basic elements of access control. Administrators create access rules that restrict
or permit a user's access permission. A policy is the collection of these different sets of access rules
in a given order. This consolidated list of rules defines the overall access strategy of a local client
machine. PAM_AUTHZ enables administrators to create an access policy by defining different
types of access rules and to save the policy in a file.
7.4.2 How login authorization works
The system administrator can define the access rules and store them in an access policy file.
PAM_AUTHZ uses these access rules defined in the policy file to control the login authorization.
200 Administering LDAP-UX Client Services