Policy Validator | HP UX LDAP-UX Integration Software instruction

Administering LDAP-UX Client Services

PAM_AUTHZ Login Authorization Enhancement

	In the above example, if a user reports to paulw and
	the user’s job is related to marketing, then the user is
	granted the login access. The rule structure is very
	ﬂexible about how to deﬁne access for certain groups of
	users.
	other
	PAM_AUTHZ ignores any access rules deﬁned in the
	<object> ﬁeld. The access rule is evaluated to be true
	immediately. For example,
	allow:other
	In the above example, all users are granted the login
	access to the machine. The primary usage of this type
	of rule is to toggle PAM_AUTHZ default <action>.
<object>	The values in this ﬁeld deﬁne the policy criteria that
	PAM_AUTHZ uses to validate with the login name.
	The values in this ﬁeld are dependent on the option
	that is stated in the <type> ﬁeld.

Policy Validator

PAM_AUTHZ works as a policy validator. Once it receives a PAM request, it starts to process the access rules deﬁned in pam_authz.policy. It validates and determines the user’s login authorization based on the user’s login name and the information it retrieves from various name services. The result is then returned to the PAM framework.

PAM_AUTHZ processes access rules in the order they are deﬁned in the pam_authz.policy. It stops processing the access rules when any one of the access rules is evaluated to be true (match). That rule is called the "authorative" rule. If any access rule is evaluated to be false (no match), the rule is skipped. If all access rules in the policy ﬁle have been evaluated but the user’s access right can not be determined, the user is restricted from login.

NOTE	The default <action> of PAM_AUTHZ is "deny" if no authorative rule is
	found.

Chapter 4

117

Image 131

HP UX LDAP-UX Integration Software manual Policy Validator

Contents

Manufacturing Part Number J4269-90071 E0207 Edition Legal Notices Contents Administering LDAP-UX Client Services Command and Tool Reference User Tasks Tables Viii Figures Figures New and Changed Documentation in This Edition Intended Audience What’s in This document Publishing History Xiii HP Encourages Your Comments Typographical Conventions Chapter Overview of LDAP-UX Client Services Simpliﬁed NIS Environment Overview of LDAP-UX Client Services Introduction How LDAP-UX Client Services WorksTrafﬁc from replica updates Simpliﬁed LDAP-UX Client Services Environment That use PAM and NSS Examples of Commands and SubsystemsCommands that use Commands that use PAM Login, ftpd Ls, who Overview of LDAP-UX Client Services Local Start-up File and the Conﬁguration Proﬁle Overview of LDAP-UX Client Services Chapter Before You Begin LDAP-UX Client Services Summary of Installing and Conﬁguring Summary of Installing and Conﬁguring Optionally modify the /etc/opt/ldapux/pamauthz.policy Plan Your Installation Plan Your Installation Still log in to the system Share user names and passwords with other applications, Example Directory Structure Plan Your Installation Plan Your Installation Section must be set to yes. If the start option is enabled, Plan Your Installation Install LDAP-UX Client Services on a Client Install LDAP-UX Client Services on a Client Step Conﬁgure Your DirectoryConﬁgure Your Directory Conﬁgure Your Directory Grant read access of all attributes of the posix schema Conﬁgure Your Directory Import Name Service Data into Your Directory Import Name Service Data into Your Directory Directory Steps to Importing Name Service Data into Your Conﬁgure the LDAP-UX Client Services Conﬁgure the LDAP-UX Client Services Conﬁgure the LDAP-UX Client Services Quick Conﬁguration Required to start the services Simple Sasl DIGEST-MD5 Conﬁguration Parameter Default Values Conﬁgure the LDAP-UX Client Services Custom Conﬁguration Specify up to three directory hosts, to be searched in order Specify the service you want to map? Specify the attribute you want to map You type 0 to exit this menu for the following question Answer Y instead of the default N For the question You want to create a custom search descriptor for Conﬁgure the LDAP-UX Client Serivces with SSL Support Conﬁgure the LDAP-UX Client Serivces with SSL Support Steps to Download the CA Certiﬁcate from Mozilla Browser Conﬁguring the LDAP-UX Client to Use SSL Mail users, and Trust the CA to identify software developers Use the rm command to remove the old database ﬁles Steps to create database ﬁles using the certutil utility Conﬁgure the LDAP-UX Client Serivces with SSL Support Conﬁgure LDAP-UX Client Services with Publickey Support Conﬁgure LDAP-UX Client Services with Publickey Support October Enhanced Publickey-LDAP Software for HP-UX 11i v1 orJune Conﬁguring an Admin Proxy User Using ldapproxyconﬁg Extending the Publickey Schema into Your DirectoryAdmin Proxy User An Example Setting ACI for Key ManagementPassword for an Admin Proxy User Setting ACI for an Admin Proxy User Setting ACI for a User Conﬁguring serviceAuthenticationMethod Procedures Used to Conﬁgure serviceAuthenticationMethod Authentication Methods ServiceAuthenticationMethodkeyservsasl/digest-md5 Conﬁguring Name Service Switch Conﬁgure LDAP-UX Client Services with Publickey Support AutoFS Support Automount SchemasAutoFS Support AutoFS Patch Requirement Schema New Automount Schema An Example NisObject Automount Schema Limitations Obsolete Automount SchemaRemoving The Obsolete Automount Schema Attribute Mappings New Automount Attribute NisObject Automount Attribute Mappings Environment Variables AutoFS Migration ScriptsMigration Scripts Description General Syntax For Migration Scripts Examples Syntax Migrateautomount.pl Script AutoFS Support Following shows the /tmp/autoindirect.ldif ﬁle Migratenisautomount.pl Script Following shows the nispautomap.ldif ﬁle Migratenispautofs.pl Script Verify the LDAP-UX Client Services Verify the LDAP-UX Client Services Making sure the output is as expected Verify the LDAP-UX Client Services #cat /etc/nsswitch.conf Conﬁgure Subsequent Client Systems Conﬁgure Subsequent Client Systems Change the current conﬁguration Download the Proﬁle Periodically Download the Proﬁle Periodically Crontab crontab.profile #passwordas = Use r-command for PamldapUse r-command for Pamldap Password, and turning on the rcommand option for pamldap Use r-command for Pamldap Chapter Ldap Printer Conﬁgurator Overview OverviewDeﬁnitions System How the Ldap Printer Conﬁgurator works How the Ldap Printer Conﬁgurator works System administrator manually adds or removes printers to Printer Conﬁgurator Architecture Printer Conﬁguration Parameters Printer Conﬁguration Parameters An Example Printer SchemaPrinter Schema Printer Schema Example Managing the LP printer conﬁgurationManaging the LP printer conﬁguration Managing the LP printer conﬁguration Managing the LP printer conﬁguration Limitations of Printer Conﬁgurator Limitations of Printer Conﬁgurator Limitations of Printer Conﬁgurator Chapter Administering LDAP-UX Client Overview Using The LDAP-UX Client DaemonUsing The LDAP-UX Client Daemon Client Daemon performance LdapclientdStarting the client Controlling the client Diagnostics Command options Conﬁguration ﬁle syntax Missing settingsLdapclientd.conf Opt/ldapux/conﬁg/setup Using The LDAP-UX Client Daemon 100 Chapter 101 102 Chapter 103 Conﬁguration File Auditing Integrating with Trusted ModeFeatures and Limitations Integrating with Trusted Mode Password and Account Policies Chapter 107 PAM Conﬁguration FileOthers Conﬁguration Parameter Chapter 109 Pamauthz Login Authorization EnhancementPolicy And Access Rules Pamauthz Login Authorization Enhancement Pamauthz Environment How Login Authorization Works Chapter 111 Policy File Actiontyperule Constructing an Access Rule in pamauthz.policyFields in an Access Rule Field Syntax in an Access Rule Chapter 113 Action No value is required Chapter 115 116 Chapter 117 Policy Validator An Example of /etc/opt/ldapux/pamauthz.policy File Adding a Directory ReplicaAdding a Directory Replica Chapter 119 Displaying the Proxy User’s DNDisplaying the Proxy User’s DN Verifying the Proxy User Verifying the Proxy UserCreating a New Proxy User Example Chapter 121 Displaying the Current ProﬁleCreating a New Proﬁle Displaying the Current Proﬁle Modifying a Proﬁle Changing Which Proﬁle a Client Is UsingModifying a Proﬁle Changing from Anonymous Access to Proxy Access Changing from Anonymous Access to ProxyAccess Changing from Proxy Access to Anonymous Access Changing from Proxy Access to Anonymous Access Chapter 125 Performance ConsiderationsMinimizing Enumeration Requests Performance Considerations Client Daemon Performance Client Daemon PerformanceLdapclientd Caching Chapter 127 Map Name Beneﬁts Example Side-Effect 128 Chapter 129 Ldapclientd Persistent Connections Chapter 131 TroubleshootingTroubleshooting Enabling and Disabling LDAP-UX Logging TIP Enabling and Disabling PAM Logging Chapter 133 Netscape Directory Server Log FilesUser Cannot Log on to Client System 134 Chapter 135 You should get output like the following 136 Chapter 137 Command and Tool Reference LDAP-UX Client Services Components Description LDAP-UX Client Services ComponentsLDAP-UX Client Services Components Chapter 139 LDAP-UX Client Services ComponentsComponent Description PA machine Files Description LDAP-UX Client Services Libraries on the HP-UX 11.0 or 11i Chapter 141 LDAP-UX Client Services Libraries on the HP-UX 11i v2 PAMachine Files Description LDAP-UX Client Services Libraries on the HP-UX 11i v2 IA Client Management Tools Client Management ToolsCreateproﬁleentry Tool Createproﬁlecache Tool Displayproﬁlecache Tool Createproﬁleschema Tool Chapter 145 Getproﬁleentry Tool Getprofileentry -s NSS Ldapproxyconﬁg Tool Chapter 147 File 148 Chapter 149 Beq Search Tool Beq Search ToolSyntax Chapter 151 Examples 152 Chapter 153 Uid2dn Tool Ldap Directory Tools Ldap Directory ToolsGetattrmap.pl Tool Chapter 155 Ldapentry 156 Chapter 157 Ldapsearch Ldapmodify Ldapdelete Certutil Chapter 159 Adding One or More UsersAdding One or More Users Naming Context Name Service Migration ScriptsName Service Migration Scripts Default Naming Context Chapter 161 Migrating All Your FilesMigrating Individual Files Migration Scripts Script Name Description General Syntax for Perl Migration ScriptsMigration Scripts Chapter 163 Script Name Description 164 Chapter 165 Ldappasswd Command Ldappasswd Command Chapter 167 168 Chapter 169 To Change Passwords Cannot Change Passwords on Replica Servers To Change Passwords Chapter 171 172 Chapter 173 To Change Personal InformationTo Change Personal Information 174 Chapter 175 Mozilla Ldap C SDK 176 Files Description Mozilla Ldap C SDK File ComponentsMozilla Ldap C SDK File Components Mozilla Ldap C SDK File Components on the PA machine Mozilla Ldap C SDK File Components on the IA machine Chapter 179 Header Files Description Mozilla Ldap C SDK API Header Files Chapter 181 182 Appendix a 183 Table A-1 LDAP-UX Client Services Conﬁguration Worksheet Appendix a Appendix a 185 186 Appendix B 187 Classes Appendix B Proﬁle AttributesProﬁle Attributes Appendix B 189 190 Appendix C 191 ﬁle Appendix C Sample /etc/pam.ldap.trusted ﬁle Appendix C 193 194 Glossary 195 PAM Authorization Service ModuleGlossary Ldap Data Interchange Format Ldif Glossary Slapd Index Symbols NIS, 2, 12, 15 Pwget, 4, 69 200