LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

201

202

203

204

205

206

207

208

209

210

Table 18 Field syntax in an access rule (continued)

A list of group names. It can be the multi-valued field.

Each value is a character string that is separated by a

separator "," (ASCII 2C HEX).

Example:

group1, group2, group3

The length of a name may not exceed 255 characters,

the length of LOGIN_NAME_MAX, which is a POSIX

standard whose value is discoverable using the getconf

command.

unix_groupdeny, allow, required,

<pam_code>

No value is required.passwd_compatrequired, <pam_code>

A list of netgroup names. It can be the multi-valued field.

Each value is a character string that is separated by a

separator ","(ASCII 2C HEX).

Example:

netgroup1, netgroup2, netgroup3

netgroupdeny, allow, required,

<pam_code>

The distinguished name of an LDAP group with

groupofnames object class or groupofuniquenames

object class. It is a single-valued field. No separator is

required. The syntax of DN is defined in RFC2253.

Example:

cn=ldapgroup1,cn=groups,dc=mydomain,dc=com

ldap_groupdeny, allow, required,

<pam_code>

A single search descriptor that specifies one or more

(attribute=value) or (attribute=$[variable_name]) pairs.

$[variable_name] is a dynamic variable. It is a single

value field. Only one search filter is allowed. No

separator is required. The syntax of DN is defined in

RFC2254.

Example:

(&(manager=Joeh)(department=sales)(hostcontrol=$[HOSTNAME]))

LDAP search filters may not exceed 512 characters.

ldap_filterdeny, allow, required,

<pam_code>

No value is required.otherdeny, allow, required,

<pam_code>

<function_name>

Specifies the function name in <library_name> that is

called to evaluate certain policy settings of the login user.

Example:

status:ads:check_ads_policy

For more information, see Section 7.4.10.1 (page 210).

<library_name>

The valid value for this

field can be rhds or

ads.

status

The following describes in more detail the fields defined in an access rule:

<action> This field defines a user's final access permission if an access rule is evaluated to

be true. Valid entries can be allow, deny, required, and PAM return codes.

allow, deny, and required are character strings and the value itself is not case

sensitive. In additional to the general return codes, allow and deny, LDAP-UX

Client Services B.04.10 or later PAM_AUTHZ supports the meaningful PAM return

codes to the application which called the PAM API. PAM_AUTHZ does not evaluate

an access rule if no option is defined or if the action field contains an invalid

string.

<action> field can be one of following values:

7.4 Configuring PAM_AUTHZ login authorization 205