Query: pam_roles
OS: sunos
Section: 5
Format: Original Unix Latex Style Formatted with HTML and a Horizontal Scroll Bar
pam_roles(5) Standards, Environments, and Macros pam_roles(5)NAMEpam_roles - Solaris Roles account management moduleSYNOPSISpam_roles.so.1DESCRIPTIONThe pam_roles module implements pam_sm_acct_mgmt(3PAM). It provides functionality to verify that a user is authorized to assume a role. It also prevents direct logins to a role. The user_attr(4) database is used to determine which users can assume which roles. The PAM items PAM_USER and PAM_RUSER are used to determine the outcome of this module. PAM_USER represents the new identity being veri- fied. PAM_RUSER, if set, represents the user asserting a new identity. If PAM_RUSER is not set, the real user ID of the calling service implies that the user is asserting a new identity. Notice that root can never have roles. This module is generally stacked above the pam_unix_account(5) module. The following options are interpreted: debug Provides syslog(3C) debugging information at the LOG_DEBUG level.ERRORSThe following values are returned: PAM_IGNORE If the type of the new user identity (PAM_USER) is "normal". Or, if the type of the new user identity is "role" and the user asserting the new identity (PAM_RUSER) has the new identity name in its list or roles. PAM_USER_UNKNOWN No account is present for user. PAM_PERM_DENIED If the type of the new user identity (PAM_USER) is "role" and the user asserting the new identity (PAM_RUSER) does not have the new identity name in its list of roles.EXAMPLESExample 1: Using the pam_roles.so.1 module Here are sample entries from pam.conf(4) demonstrating the use of the pam_roles.so.1 module: cron account required pam_unix_account.so.1 # other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 # The cron service does not invoke pam_roles.so.1. Delayed jobs are independent of role assumption. All other services verify that roles can- not directly login. The "su" service (covered by the "other" service entry) verifies that if the new user is a role, the calling user is authorized for that role.ATTRIBUTESSee attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Interface Stability |Evolving | +-----------------------------+-----------------------------+ |MT Level |MT-Safe with exceptions | +-----------------------------+-----------------------------+SEE ALSOroles(1), su(1M), libpam(3LIB), pam(3PAM), pam_acct_mgmt(3PAM), pam_setcred(3PAM), pam_set_item(3PAM), pam_sm_acct_mgmt(3PAM), syslog(3C), pam.conf(4), user_attr(4), attributes(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)NOTESThe interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle. This module should never be stacked alone. It never returns PAM_SUCCESS, as it never makes a positive decision. SunOS 5.10 9 Mar 2004 pam_roles(5)
| Related Man Pages |
|---|
| pam_roles(5) - opensolaris |
| pam_unix_account(5) - hpux |
| pam_unix_account(5) - plan9 |
| pam_unix_account(5) - x11r4 |
| pam_unix_account(5) - v7 |
| Similar Topics in the Unix Linux Community |
|---|
| pam module quesion |
| Solaris 10 Kerberos with local account locking |
| PAM settings. |
| Sol10 - OpenLDAP Auth |
| Solaris10 and Windows2000 authentication. |