Administering LDAP-UX Client Services

PAM_AUTHZ Login Authorization Enhancement

evaluated to be true. PAM_AUTH obtains the netgroup information by querying the name services specified in nsswitch.conf. For example:

allow:netgroup:netgroup1,netgroup2,netgroup3

A user tries to login and he belongs to netgroup1. The above access rule is evaluated to be true. The user is granted login access

ldap_group

This option specifies that an access rule is based on the non-POSIXGroup membership. PAM_AUTHZ supports ldap group with groupOfNames or groupOfUniqueNames objectclass. A list of ldap_group names is specified in the <object> field. The group membership information is stored in the LDAP directory server. An example of a ldap_group type of access rule is as follows:

deny:ldap_group:engineering_ldapgroup,support

_ldapgroup,epartner_ldapgroup

PAM_AUTHZ retrieves group membership of each listed group from the directory server through LDAP-UX client services. Then, it examines if the user’s Distinguished Name (DN) matches any value in the member or uniquemember attribute.

ldap_filter

In a role based access management, permission to access a resource can be controlled based on the user’s role such as sales force, technical support or subscriber status and are typically defined by common business attributes of users based on company policies. The same concept is applied to the ldap_filter access rule. A search filter is defined in <object> field. A search filter consists of one or more (attribute=value) pairs. If the user entry is successfully retrieved from a directory server by using the search filter, the access rule is considered to be true. An example of ldap_filter type of access rule is as follows:

allow:ldap_filter:(&(manager=paulw)(business\

category=marketing))

116

Chapter 4