HP-UX Reference (11i v2 07/12) - 5 Miscellaneous (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

291

292

293

294

295

296

297

298

299

300

pam_authz(5) pam_authz(5)

unix_local_user

No parameters are required in the object ﬁeld.

unix_group This ﬁeld contains a list of unix group names. Each value (group name) is a

character string that is separated by a comma (

,) separator, ASCII 2C HEX.

Multi-valued ﬁeld.

netgroup This ﬁeld contains a list of

netgroup names. Each value (group name) is a

character string that is separated by a comma separator (

,), ASCII 2C HEX.

Multi-valued ﬁeld.

ldapgroup This ﬁeld contains a distinguished name (DN) of an LDAP group (non-Posix

group) with

groupOfNames objectclass or groupOfUniqueNames

objectclass. Syntax of DN is deﬁned in RFC2253. Single-valued ﬁeld. No

separator is required. Only one distinguished name is allowed.

ldapfilter access rules, this ﬁeld contains a single search ﬁlter that

speciﬁes one or more (attribute=

value) pairs. Syntax of string search

ﬁlter is deﬁned in RFC2254 Single-valued ﬁeld. No separator is required.

Only one search ﬁlter is allowed.

Here is an example of access rules in

/etc/opt/ldapux/pam_authz.policy

allow:unix_user:peter,john,mary

allow:unix_group:admin,operator,support

deny:unix_group:guest,contractor,vendor

allow:netgroup:netcom,netprint,netmail

allow:ldap_group:cn=admingroup,ou=eng,dc=example,dc=com

allow:ldap_filter:(&(manager=tomc)(departmentnumber=113))

allow:unix_local_user

The following options may be passed to the pam_authz service module:

debug syslog() debugging information at LOG_DEBUG level.

nowarn Turn off warning messages.

use_first_pass This option is ignored.

try_first_pass This option is ignored.

The

pam_sm_setcred()

function sets user speciﬁc credentials. In the case of pam_authz, this is a

NULL function.

Session Management Module

The session management component provides functions to initiate (

pam_sm_open_session()

) and ter-

minate (

pam_sm_close_session()

) sessions. For pam_authz , pam_open_session() is a

NULL function. The following options may be passed in to the

pam_authz service module:

debug syslog() debugging information at LOG_DEBUG level.

nowarn Turn off warning messages.

pam_close_session is a NULL function.

Password Management Module

The password management component provides a function to change passwords

(pam_sm_chauthtok()). In the case of pam_authz, the module is a NULL function. The following

options may be passed in to the pam_authz service module:

debug syslog() debugging information at LOG_DEBUG level.

nowarn Turn off warning messages.

use_first_pass This option is ignored.

try_first_pass This option is ignored.

EXAMPLES

The following is a sample pam.conf conﬁguration ﬁle. Lines that begin with the # symbol are treated as

comments, and therefore ignored.

HP-UX 11i Version 2: December 2007 Update − 3 − Hewlett-Packard Company 297