Manualshelf

LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
201202203204205206207208209210
allow
This option indicates that a user is granted the login authorization.
deny
This option indicates that a user is denied the login authorization.
required
If the rule evaluates to false, this option indicates that a user is denied login
authorization; if the rule evaluates to true, the option indicates processing should
continue to the next rule.
<pam_code>
One of the following meaningful PAM return codes may be specified in the
<action> field, the PAM return codes are character strings:
PAM_SUCCESS
PAM_PERM_DENIED
PAM_MAXTRIES
PAM_AUTH_ERR
PAM_NEW_AUTHTOK_REQD
PAM_AUTHTOKEN_REQD
PAM_CRED_INSUFFICIENT
PAM_AUTHINFO_UNAVAIL
PAM_USER_UNKNOWN
PAM_ACCT_EXPIRED
PAM_AUTHTOK_EXPIRED
For example, if the PAM_AUTHZ policy rule indicates that an account has been
locked out or a password has expired, PAM_AUTHZ can return an appropriate PAM
error code instead of a general deny error code.
<status>
Use of the status rule only applies when the action is to call a library function. In
this case, the status rule is always evaluated and always returns a code to the
PAM subsystem. Therefore, the status rule should always be the last and only
status rule in your policy file.
<type> The value in this field represents the type of access rule. It defines what kinds of user
information that PAM_AUTHZ needs to look for. The value also helps to determine
the correct syntax in the following <object> field.
Valid values for this field are:
unix_user, unix_local_user, unix_group, netgroup, ldap_group
Rules that have one of these specified as the <type> field define a static list access
rule. For this rule, the <object> field is specified as a predefined list of identifiers.
The identifiers are matched directly with data in the login request. This <type> field
specifies where PAM_AUTHZ will look to determine if the login field is present in
the appropriate data store, such as /etc/passwd or /etc/group. If the login
field is found, the rule is evaluated to be true. The final access right is determined
by the <action> field. For more information, see Section 7.4.8 (page 208).
passwd_compat
206 Administering LDAP-UX Client Services