Manualshelf

HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals
341342343344345346347348349350
p
pam_authz(5) pam_authz(5)
-@name Denies access to all members of the network group name.
-name Denies access to user name.
Please refer to passwd(4) for a sample
/etc/passwd file.
With the access policy file,
pam_sm_acct_mgmt()
would use the
/etc/opt/ldapux/pam_authz.policy
file to help to determine which users may login. Each
access rule in the access policy file will be evaluated until an authorative rule is found. An authorative rule
is the first access rule that matches user’s login name.
pam_sm_acct_mgmt()
returns allow or deny
access based on the information of the authorative rule. If an authorative rule is not found, users will be
denied to log in.
Access rules are the basic elements of an access policy. A "policy" is the collection of these different sets of
access rules in a given order. An access rule consists of three fields.
action
:type:object
where the following means:
action The action field defines the access permission if an access rule evaluated to be true. There are
two possible values in this field:
allow login authorization is granted
deny login authorization is restricted
type The value in the type field represents the source of the information. It signifies the kinds of user
information that PAM_AUTHZ should look for. The value also helps to determine the correct
syntax in the following object field. The following values are supported:
Type Usage
unix_user Control the access permission by comparing a user’s login name with a list
of users names in object field.
unix_group Control the access permission by examining user’s posix group member-
ship. A list of Unix POSIX group is specified in the object field.
pam_authz retrieves the group information of each listed group by query-
ing the name services specified in nsswitch.conf
.
netgroup Control the access permission by examining users netgroup member-
ship. A list of
netgroup names is specified in the object field.
pam_authz obtains the netgroup information by querying the name
services that are specified in the nsswitch.conf
.
ldapgroup Control the access permission by examining user’s non-posixgroup member-
ship. pam_authz supports X.500 style group with groupOfNames or
groupOfUniqueNames
objectclass. pam_authz retrieves group
membership of each listed group from the directory server through the
LDAP-UX client.
ldapfilter Control the access permission by examining user’s role in the organization.
pam_authz queries user ldap information by using the provided ldap
filter.
other The other access rule serves as a wild card rule. Use this rule to allow
or deny access permission to all users.
object The values in the object field define the criteria that pam_authz need to be validated with the
login name. The following table provides a summary of all possible values and syntax of object
field.
Type Object
unix_user This field contains a list of usernames. Each value (username) is a charac-
ter string that is separated by a comma (,) separator, ASCII 2C HEX.
Multi-valued field.
unix_group This field contains a list of unix group names. Each value (group name) is a
character string that is separated by a comma (,) separator, ASCII 2C
HEX. Multi-valued field.
HP-UX 11i Version 3: February 2007 2 Hewlett-Packard Company 347