Administering LDAP-UX Client Services

PAM_AUTHZ Login Authorization Enhancement

PAM_AUTHZ Login Authorization

Enhancement

The PAM_AUTHZ service module provides functionality that allows the administrator to control who can login to the system based on netgroup information found in the /etc/passwd and /etc/netgroup files.

PAM_AUTHZ has been created to provide access control similar to the netgroup filtering feature that is performed by NIS.

Starting LDAP-UX Client Services B.04.00, PAM_AUTHZ has been enhanced to provide administrators a simple security configuration file to set up a local access policy to better meet their need in the organization. PAM_AUTHZ uses the access policy to determine which users are allowed to login to the system. A policy specifies which groups, ldap groups, users or other access control objects (such as ldap search filters) are allowed to login to the system. For example, you can allow or deny access to a host or application based on his or her membership in a group, or role within a organization. As an example, PAM_KEREBOS and PAM_AUTHZ can be used together to authenticate and authorize users in a Windows 2000/2003 environment. PAM_KERBEROS authenticates the user. PAM_AUTHZ uses ADS groups or other user information from the policy file, to determine if the user is authorized to access the system.

Policy And Access Rules

Access rules are the basic elements of access control. Administrators create access rules that restrict or permit a user’s access permission. A policy is the collection of these different sets of access rules in a given order. This consolidated list of rules defines the overall access strategy of a local client machine. PAM_AUTHZ enables administrators to create an access policy by defining different types of access rules and to save the policy in a file.

Chapter 4

109