Administering LDAP-UX Client Services

PAM_AUTHZ Login Authorization Enhancement

Constructing an Access Rule in pam_authz.policy

In the policy file, /etc/opt/ldapux/pam_authz.policy, an access rule consists of three fields as follows:

<action>:<type>:<rule>

All fields are mandatory. If any field is missing or contains the incorrect syntax, the access rule is considered to be invalid and is ignored by PAM_AUTHZ.

These fields have the following limitations:

No leading or trailing empty space is allowed in a field

Fields are separated by a separator, :

No leading or trailing empty space is allowed in a separator

An access rule is terminated by a carriage return

 

Fields in an Access Rule

 

 

Table 4-1 shows a summary on all possible values and syntax of an

 

access rule:

 

 

Table 4-1

Field Syntax in an Access Rule

 

 

 

 

 

<action>

<type>

<object>

 

 

 

 

 

deny,

unix_user

A list of user name. It can be the

 

allow

 

multi-valued field. Each value is a

 

 

 

character string that is separated by a

 

 

 

separator “,” (ASCII 2C HEX).

 

 

 

Example:

 

 

 

user1, user2, user3

 

 

 

 

112

Chapter 4