pam_authz.5 (2010 09)
p
pam_authz(5) pam_authz(5)
status Supports LDAP account and password security policy enforcement when
PAM_LDAP authenication service module is bypassed.
type The value in the type field represents the source of the information. It signifies the kinds of
user information that
PAM_AUTHZ should look for. The value also helps to determine the
correct syntax in the following object field. The following values are supported:
Type Usage
unix_user Control the access permission by comparing a user’s login name with a
list of users names in object field.
unix_local_user
Control the access permission by comparing a user’s login name with the
user accounts specified in the /etc/passwd
file.
unix_group Control the access permission by examining user’s posix group member-
ship. A list of Unix POSIX group is specified in the object field.
pam_authz retrieves the group information of each listed group by
querying the name services specified in
nsswitch.conf.
netgroup Control the access permission by examining user’s
netgroup member-
ship. A list of
netgroup names is specified in the object field.
pam_authz obtains the netgroup information by querying the name
services that are specified in the nsswitch.conf
.
passwd_compat Control the access permission using NIS-style escapes in
/etc/passwd. This is identical to the default behavior of pam_authz
when there is no access policy file present. The
passwd_compat type supports only status or required in the
action field.
ldap_group Control the access permission by examining user’s non-posixgroup
membership. pam_authz supports X.500 style group with groupOf-
Names or groupOfUniqueNames
objectclass. pam_authz retrieves
group membership of each listed group from the directory server through
the LDAP-UX client.
ldap_filter Control the access permission by examining user’s role in the organiza-
tion.
pam_authz queries user ldap information by using the provided
ldap filter. Administrator can also define the ldap filter along with the
dynamic variables.
<library_name> Specifies the name of the library to be loaded to that supports the
account and password policies for a particular directory server. The fol-
lowing two libraries are supported,
rhds
If this option is specified, PAM_AUTHZ loads the
/opt/ldapux/lib/libpolicy_rhds.[so/sl] library to support security policy
checking as would be defined by a HP-UX Directory Server or Red Hat
Directory Server.
ads
If this option specified, PAM_AUHZ loads /opt/ldapux/lib/libpolicy_ads to
support security policy checking as would be defined by a Windows
Active Directory Server.
other The other access rule serves as a wild card rule. Use this rule to
allow or deny access permission to all users.
object The values in the object field define the criteria that
pam_authz need to be validated with the
login name. The following table provides a summary of all possible values and syntax of object
field.
HP-UX 11i v3: June 2010 Web Release − 3 − Hewlett-Packard Company 3