Administering
Adding a Directory Replica
The following describes situations where PAM_AUTHZ skips an access rule and does not process it:
•An access rule contains the wrong syntax.
•PAM_AUTHZ processes the ldap_filter and ldap_gorup types of access rules by querying the LDAP directory server through ldapclientd daemon. If
An Example of /etc/opt/ldapux/pam_authz.policy File
The following shows an example of the
/etc/opt/ldapux/pam_authz.policy file:
allow:unix_user:user1,user2,user3
allow:unix_group:group1,group2
deny:unix_group:group11,group12
allow:netgroup:netgroup1,netgroup2
allow::ldap_group:ldapgroup1,ldapgroup2
allow:ldap_filter:(&(manager=Joeh) (department=marketing))
PAM_AUTHZ processes access rules in the order they are defined in the pam_authz.policy file. It stops evaluating the access rules when any one of the access rule is matched. In the above example, if the user2 user attempts to login, it matches one of the user names in the first access rule, PAM_AUTHZ stops evaluating the rest of the access rules and allows the user2 user to login. If the user3 user is a member of the ldapgroup2 group, this is only group that this user belongs to. PAM_AUTHZ starts to validate user3’s login access by evaluating all the access rule defined in pam_authz.policy. The fifth access rule is evaluated, the user3 is a member of the listed group, ldapgroup2. The user3 user is granted the login access.
Adding a Directory Replica
Your LDAP directory contains configuration profiles downloaded by each client system and name service data accessed by each client system. As your environment grows, you may need to add a directory replica to your
118 | Chapter 4 |