LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
7.4.8 Static list access rule
When the value in the <type> field is one of unix_user, unix_group, netgroup,
ldap_group, the rule is evaluated using a list of predefined values in the <object> field. Based
on the value in the <type> field, PAM_AUTHZ will call the appropriate service to determine if the
item requested is present. If the requested information is found then the rule is evaluated to be true.
The following describes the values for this field:
unix_user This option indicates that an administrator wants to control the login access
by examining a user's login name with a list of predefined users. If the
login name matches one of the user names in the list, the authorization
statement is evaluated to be true. The final access right is determined by
evaluating the <action> field. An example of a unix_user type of
access rule is as follows:
allow:unix_user:myuser1,myuser2,myuser3
If a myuser3 user attempts to log in, the preceding access rule is
evaluated to be true and the user is granted login access.
unix_local_user This option indicates that an administrator wants to control the login access
by examining a local user's login name with a list of user's accounts in
the /etc/passwd file. If the login name matches one of the user accounts
defined in /etc/passwd, the authorization statement is evaluated to be
true. Otherwise, the rule is skipped. An example of a unix_local_user
type of access rule is as follows:
allow:unix_local_user
As an example, if a user account, myuser5, is defined in /etc/
password, the preceding access rule is evaluated to be true and this
user myuser5 is granted permission to log in to the local host.
unix_group This option specifies that an administrator wants to control the login access
right using the user's group membership. You can specify a list of group
names in the <object> field. PAM_AUTH retrieves the group information
of each listed group by querying the name services specified in
nsswitch.conf. That means the group entries might come from any
sources (files, nis, LDAP, and so forth). If the login user belongs to any
groups in the list, the access rule is evaluated to be true. Otherwise, the
rule is skipped. An example of a unix_group access rule is shown as
follows:
deny:unix_group:myunixgroup10,myunixgroup11,myunixgroup12
A user tries to log in and he is a member of myunixgroup12. The rule
is evaluated to be true and the <action> is applied. The user is restricted
from access to the machine even with a valid password.
netgroup This option is not supported in Windows ADS environments. The option
specifies that the access permission is determined by the user's netgroup
membership. You must specify a list of netgroup name in the <object>
field. If the user is a member of one of the netgroups specified in the
netgroup list, then the access rule is evaluated to be true. PAM_AUTH
obtains the netgroup information by querying the name services specified
in nsswitch.conf. For example:
allow:netgroup:netgroup1,
netgroup2,netgroup3
A user tries to log in and he belongs to netgroup1. The preceding access
rule is evaluated to be true. The user is granted login access.
208 Administering LDAP-UX Client Services