LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

201

202

203

204

205

206

207

208

209

210

Now assume that the user6 user has the attribute status set to active, reports to Joeh, the

user's job is related to marketing and has a hostname attribute with the returned value HostSrv

in the user's entry in the LDAP directory. PAM_AUTHZ starts to validate login access for user6

by evaluating all the access rules defined in the access policy file. The second rule is evaluated to

be true, but since the action assigned to this rule is required, processing continues with the next

rule. The sixth access rule is evaluated to be true, and the user6 is allowed to log in to host

HostSrv.

7.4.6 Dynamic variable support

Dynamic variable support is a method by which an access rule can be defined where part or all

of the policy criteria will be determined at the time the rule is evaluated. For example, the name

of the computer from which the user attempts to log in can be substituted into the access rule to be

evaluated. See Section 7.4.9 (page 209) for more information on how to define an access rule

using dynamic variable support.

7.4.7 Constructing an access rule in the access policy file

In the access policy file, an access rule consists of three fields as follows:

All fields are mandatory except for the <object> field when passwd_compat,

unix_local_user, or Other is specified in the <type> field. If any field is missing or contains

the incorrect syntax, the access rule is considered to be invalid and is ignored by PAM_AUTHZ.

These fields have the following limitations:

• No leading or trailing empty space is allowed in a field

• Fields are separated by a separator, :

• No leading or trailing empty space is allowed in a separator

• An access rule is terminated by a carriage return

No rule may exceed 2048 characters, the length of LINE_MAX, which is a POSIX standard whose

value is discoverable using the getconf command. For more information about the maximum

length of fields specified in a rule, see Table 18 (page 204).

7.4.7.1 Fields in an access rule

Table 18 summarizes all possible values and the syntax of an access rule:

Table 18 Field syntax in an access rule

A list of user names. It can be the multi-valued field. Each

value is a character string that is separated by a separator

"," (ASCII 2C HEX).

Example:

user1, user2, user3

The length of a user name may not exceed 255

characters, the length of LOGIN_NAME_MAX, which is

a POSIX standard whose value is discoverable using the

getconf command.

unix_userdeny, allow,required,

<pam_code>

No value is required.unix_local_userdeny, allow, required,

<pam_code>

204 Administering LDAP-UX Client Services