Manualshelf

HP-UX Reference (11i v2 07/12) - 5 Miscellaneous (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals
291292293294295296297298299300
p
pam_authz(5) pam_authz(5)
-@name Denies access to all members of the network group name.
-name Denies access to user name.
Please refer to passwd(4) for a sample
/etc/passwd file.
With the access policy file,
pam_sm_acct_mgmt()
would use the
/etc/opt/ldapux/pam_authz.policy
file to help to determine which users may login. Each
access rule in the access policy file will be evaluated until an authorative rule is found. An authorative rule
is the first access rule that matches user’s login name.
pam_sm_acct_mgmt()
returns allow or deny
access based on the information of the authorative rule. If an authorative rule is not found, users will be
denied to log in.
Access rules are the basic elements of an access policy. A "policy" is the collection of these different sets of
access rules in a given order. An access rule consists of three fields.
action
:type:object
where the following means:
action The action field defines the access permission if an access rule evaluated to be true. There are
two possible values in this field:
allow login authorization is granted
deny login authorization is restricted
type The value in the type field represents the source of the information. It signifies the kinds of user
information that PAM_AUTHZ should look for. The value also helps to determine the correct
syntax in the following object field. The following values are supported:
Type Usage
unix_user Control the access permission by comparing a user’s login name with a list of
users names in object field.
unix_local_user
Control the access permission by comparing a user’s login name with the user
accounts specified in the /etc/passwd file.
unix_group Control the access permission by examining user’s posix group membership.
A list of Unix POSIX group is specified in the object field. pam_authz
retrieves the group information of each listed group by querying the name
services specified in nsswitch.conf
.
netgroup Control the access permission by examining user’s netgroup membership.
A list of
netgroup names is specified in the object field. pam_authz
obtains the netgroup information by querying the name services that are
specified in the nsswitch.conf
.
ldapgroup Control the access permission by examining users non-posixgroup member-
ship. pam_authz supports X.500 style group with groupOfNames or
groupOfUniqueNames
objectclass. pam_authz retrieves group
membership of each listed group from the directory server through the
LDAP-UX client.
ldapfilter Control the access permission by examining user’s role in the organization.
pam_authz queries user ldap information by using the provided ldap filter.
other The other access rule serves as a wild card rule. Use this rule to allow or
deny access permission to all users.
object The values in the object field define the criteria that pam_authz need to be validated with the
login name. The following table provides a summary of all possible values and syntax of object
field.
Type Object
unix_user This field contains a list of usernames. Each value (username) is a character
string that is separated by a comma (,) separator, ASCII 2C HEX. Multi-
valued field.
296 Hewlett-Packard Company 2 HP-UX 11i Version 2: December 2007 Update