LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
NOTE: Beginning with version 5.0 of the product, LDAP-UX Client
Services supports integrated Compat Mode to control which users are
visible on a host, where the user accounts are referenced by netgroups
specified in the /etc/passwd file. For more information, see
Section 2.5.5 (page 102). This feature is not supported when using LDAP-UX
Client Services with Windows ADS.
ldap_group This option specifies that an access rule is based on the nonPOSIXGroup
membership. PAM_AUTHZ supports LDAP group with groupOfNames
or groupOfUniqueNamesobjectclass. A list of ldap_group names is
specified in the <object> field. The group membership information is
stored in the LDAP directory server. An example of a ldap_group type
of access rule is as follows:
deny:ldap_group:engineering_ldapgroup,support_ldapgroup,epartner_ldapgroup
PAM_AUTHZ retrieves group membership of each listed group from the
directory server through LDAP-UX client services. Then, it examines if the
user's distinguished name (DN) matches any value in the member or
uniquemember attribute.
7.4.9 Dynamic variable access rule
PAM_AUTHZ supports dynamic variables in the ldap_filter type of the access rule. A dynamic
variable is defined in <object> (LDAP search filter) field, it can consist of one or more
(attribute=$[variable_name]) pairs. The syntax of an access rule with the dynamic variable is:
<action>:ldap_filter:(attribute=$[variable_name])
For example, if an administrator has an attribute named hostControl defined in the directory,
and wants to use this attribute to define which host a user can log on to. He may add the following
access rule in the access policy file:
allow:ldap_filter:(hostControl= hostA)
Where hostA is the value for the local host that the user must be granted access. If a user, John,
has a hostControl attribute in his user entry in the LDAP directory and the value is hostA, then
the access rule is evaluated to be true and this user is allowed to log in to the host, hostA.
In the preceding example, a dynamic variable HOSTNAME can be used. The previous access rule
can be redefined as follows:
allow: ldap_filter: (hostControl=$[HOSTNAME])
where $[HOSTNAME] represents a dynamic variable function which will be called to retrieve the
local host name information. PAM_AUTHZ will then substitute its return value to the search filter.
7.4.9.1 Supported functions for dynamic variables
In LDAP-UX Client Services, PAM_AUTHZ provides the following default dynamic variable functions
in the libpolicy_commonauthz library. These functions can be used as dynamic variables
specified in the ldap_filter type of access rules:
HOSTNAME Returns the host name of the local system from which the user attempts to log
on. For example, hostA.
HOSTNAMEWD Returns the fully qualified host name of the local system from which the user
attempts to log on. For example, hostA.hp.com.
HOSTIP Returns the IP address of the local system from which the user attempts to log
on. For example, 12.10.2.105.
7.4 Configuring PAM_AUTHZ login authorization 209