Administering
PAM_AUTHZ Login Authorization Enhancement
evaluated to be true. PAM_AUTH obtains the netgroup information by querying the name services specified in nsswitch.conf. For example:
allow:netgroup:netgroup1,netgroup2,netgroup3
A user tries to login and he belongs to netgroup1. The above access rule is evaluated to be true. The user is granted login access
ldap_group
This option specifies that an access rule is based on the
deny:ldap_group:engineering_ldapgroup,support
_ldapgroup,epartner_ldapgroup
PAM_AUTHZ retrieves group membership of each listed group from the directory server through
ldap_filter
In a role based access management, permission to access a resource can be controlled based on the user’s role such as sales force, technical support or subscriber status and are typically defined by common business attributes of users based on company policies. The same concept is applied to the ldap_filter access rule. A search filter is defined in <object> field. A search filter consists of one or more (attribute=value) pairs. If the user entry is successfully retrieved from a directory server by using the search filter, the access rule is considered to be true. An example of ldap_filter type of access rule is as follows:
allow:ldap_filter:(&(manager=paulw)(business\
category=marketing))
116 | Chapter 4 |