Administering
PAM_AUTHZ Login Authorization Enhancement
2.PAM_AUTHZ service module receives an authentication request from PAM framework. It processes all the access rules stored in the /etc/opt/ldapux/pam_authz.policy file.
3.If a rule indicates that the required information is stored in a LDAP server, PAM_AUTHZ constructs a request message and sends to the LDAP client daemon, ldapclientd. The LDAP client daemon performs the actual ldap query and returns the result to PAM_AUTHZ. Then the access rule is evaluated and the final access right is returned.
4.If a rule indicates that the required information is in the UNIX files. PAM_AUTHZ retrieves user’s information from /etc/passwd,
/etc/group or /etc/netgroup file through getpwname() or getgrname() system calls. Then the rule is evaluated and the final access right is returned.
5.PAM_AUTHZ returns the corresponding pam result to PAM framework. The decision is returned to the application which called the
PAM API.
6.If the user has the permission to login. then the decision is returned to the next PAM service module that is configured in pam.conf file, such as pam_ldap or pam_kerberos. If the user has no access right, then login is denied.
7.The PAM service module returns the authentication result to the application which called the PAM API.
Policy File
The system administrator can define a local access policy and store all defined access rules in the policy file, /etc/opt/ldapux/pam_authz.policy. The PAM_AUTHZ service module uses this local policy file to process the access rules and to control the login authorization.
Chapter 4 | 111 |