LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
For a sample pam.conf file configured to define an access policy file for security enforcement, see
Section D.5 (page 430) (for an HP directory server environment) and Section D.6 (page 432) (for a
Windows ADS environment).
LDAP-UX Client Services provides a sample configuration file, /etc/opt/ldapux/
pam_authz.policy.template. This sample file shows you how to configure the policy file to
work with PAM_AUTHZ. You can copy this sample file and edit it using the correct syntax to specify
the access rules you want to authorize or exclude from authorization. For detailed information on
how to construct an access rule in the policy file, see Section 7.4.7 (page 204).
NOTE: By default, the allow:unix_local_user access rule in the /etc/opt/ldapux/
pam_authz.policy.template file is enabled.
7.4.5 Policy validator
PAM_AUTHZ works as a policy validator. After it receives a PAM request, it starts to process the
access rules defined in pam_authz.policy. It validates and determines the user's login
authorization based on the user's login name and the information it retrieves from various name
services. The result is then returned to the PAM framework.
PAM_AUTHZ processes access rules in the order they are defined in the access policy file. It stops
processing the access rules when any one of the access rules is evaluated to be true (match). That
rule is called the "authoritative" rule. If any access rule is evaluated to be false (no match), the rule
is skipped. If any access rule is evaluated to be true (match) but has the action required assigned
to it, then access rule processing continues with the next rule. An access rule that has the action
required assigned to it that evaluates to false (no match) will cause processing to end and the
user is restricted from login. If all access rules in the policy file have been evaluated but the user's
access right cannot be determined, the user is restricted from login.
NOTE:
• If the user's login name is root or UID is 0, PAM_AUTHZ does not process the access rules
defined in the access policy file. The root user is always granted login access.
• The default <action> of PAM_AUTHZ if no authoritative rule is found is deny.
PAM_AUTHZ skips an access rule and does not process it when:
• An access rule contains the wrong syntax.
• PAM_AUTHZ processes the ldap_filter and ldap_group types of access rules by querying
the LDAP directory server through the ldapclientd daemon. If LDAP-UX Client Services is
not running, PAM_AUTHZ skips all the ldap_filter and ldap_group types of rules.
7.4.5.1 Example of access rule evaluation
The following shows an example of an access policy file:
allow:unix_user:user1,user2,user3,user4
required:ldap_filter:(status=active)
allow:unix_group:group1,group2
deny:unix_group:group11,group12
allow:netgroup:netgroup1,netgroup2
allow::ldap_group:ldapgroup1,ldapgroup2
allow:ldap_filter:(&(manager=Joeh) (department=marketing)(hostname=$[HOSTNAME]))
PAM_AUTHZ processes access rules in the order they are defined in the access policy file. It stops
evaluating the access rules when any one of the access rules is matched, unless that rule has the
action required assigned. In the preceding example, if the user2 user attempts to log in, it
matches one of the user names in the first access rule, and PAM_AUTHZ stops evaluating the rest
of the access rules and allows the user2 user to log in. For another example, user5 attempts to
log in and this user is only a member of ldapgroup2. PAM_AUTHZ validates login access for
user5, and when the fifth access rule is evaluated to be true, grants login access to that user.
7.4 Configuring PAM_AUTHZ login authorization 203