Manualshelf

LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
201202203204205206207208209210
Controls access permission using NIS-style escapes in /etc/passwd. This is identical
to the default behavior of PAM_AUTHZ when there is no access policy file present.
The passwd_compat type supports only status or required in the action field,
and anything specified in the <object> field is ignored.
NOTE: Use of netgroups, which are used by passwd_compat, is not supported
in ADS. References here are for information only.
other
PAM_AUTHZ ignores any access rules defined in the <object> field. The access
rule is evaluated to be true immediately. For example,
allow:other
In the preceding example, all users are granted the login access to the machine.
The primary usage of this type of rule is to toggle PAM_AUTHZ default <action>.
ldap_filter
In a role based access management, permission to access a resource can be
controlled based on the user's role such as sales force, technical support or subscriber
status and are typically defined by common business attributes of users based on
company policies. The same concept is applied to the ldap_filter access rule.
A search filter is defined in <object> field. A search filter consists of one or more
(attribute=value) pairs. If the user entry is successfully retrieved from a directory
server by using the search filter, the access rule is considered to be true. Examples
of ldap_filter type of access rule are as follows:
allow:ldap_filter:(&(manager=paulw)(business
category=marketing))
In the preceding example, if a user reports to paulw and the user's job is related
to marketing, then the user is granted the login access. The rule structure is very
flexible about how to define access for certain groups of users.
PAM_ACCT_EXPIRED:ldap_filter:(nsAccountLock=TRUE)
In the preceding example, if a user account has been locked out and this access
rule is evaluated to be true, the PAM_ACCT_EXPIRED code is returned by
PAM_AUTHZ.
In LDAP-UX Client Services B.04.10 or later, PAM_AUTHZ supports dynamic variable
in the ldap_filter type of the access rule. A search filter can consist of one or
more (attribute=$[function_name]) pairs and is defined in the <object>
field. The [function_name] is called and the return value is substituted into the
search filter. Then the search filter is processed the same as in the preceding example.
For detailed information about dynamic variable support, see Section 7.4.9
(page 209).
<library_name>
When status is specified as the <action> field, this defines a rule that is evaluated
to perform account and password policy enforcement. This access rule defines a
library, in the <library_name> field to be loaded (for HP-UX Directory Server or
Red Hat Directory Server, the <library_name> is rhds, for Windows ADS, the
<library_name> is ads), and a function in the <function_name> field that
specifies a function to be invoked to perform policy evaluation for a particular
directory server. For detailed information on the supported values and usage of this
access rule, see Section 7.4.10.1 (page 210).
<object> The values in this field define the policy criteria that PAM_AUTHZ uses to validate
with the login name. The values in this field are dependent on the option that is
stated in the <type> field.
7.4 Configuring PAM_AUTHZ login authorization 207